[
https://issues.apache.org/jira/browse/JAMES-4032?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benoit Tellier closed JAMES-4032.
---------------------------------
Resolution: Fixed
> Improve external forward handling
> ---------------------------------
>
> Key: JAMES-4032
> URL: https://issues.apache.org/jira/browse/JAMES-4032
> Project: James Server
> Issue Type: Improvement
> Components: RRT
> Affects Versions: 3.8.1
> Reporter: Benoit Tellier
> Priority: Major
> Fix For: 3.9.0
>
> Attachments: image-2024-04-26-12-03-58-932.png,
> image-2024-04-26-12-04-10-017.png, image-2024-04-26-12-13-43-910.png,
> image-2024-04-26-12-14-35-358.png
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> Email deliverability is a tricky topic and yesterday I got one more example
> for this...
> (The trick is to de able to improve deliverability while still being secure)
> h3. The issue
> The overall scenario outline is:
> {code:java}
> GIVEN two local users [email protected] and [email protected] on a james based
> instalation
> AND [email protected] on another email supplier
> AND [email protected] forwards its mail to [email protected].
> AND this server preserves and resend as is the SMTP transport envelope
> WHEN [email protected] sends an email to [email protected]
> THEN james server rejects the incoming mail from external.org as it requires
> authentication
> to use local addresses in MAIL FROM
> AND a bounce would be generated by external.org for the original sender as
> the email could not be forwarded.
> {code}
> Example of such "external mail providers": orange.fr SFR professional
> services.
> See fwd1.png
> !image-2024-04-26-12-04-10-017.png!
> h3. Why authentication is currently required in such cases
> In order to maximise delivrability, James accepts any email for local users
> on port 25 (spam filtering may be applied as part of the reception chain)
> However a common attack is email spoofing: a remote attacker with not
> whatsoever access sends an email pretending to be a local user. Without
> further checks he could submit email as a local user without being
> authenticated.
> To prevent this behaviour James implements `verifySenderIdentity`
> configuration parameter in smtpServer.xml configuration file. If using a
> local mail from the current behaviour is to actualy mandate authentication.
> Anybody else than the user could thus NOT be using this MAIL FROM.
> This prevents the following schario: fwd2.png
> !image-2024-04-26-12-03-58-932.png!
> However this causes the issue discussed above.
> h3. Related deliverability concerns
> h4. Receiving external forwards orginating from external mail servers
> [email protected] sends a mail to [email protected] which forwards mails
> as described above to [email protected].
> On the last hop james accepts the email as the MAIL FROM ([email protected])
> is a remote one: verifySenderIdentity is not triggered for external senders.
> On the spam filtering side:
> - SPF checks fails (as external2.org did send a mail in external1.org name
> which it is not allowed to do
> - But DKIM tests pass
> - Which should be enough for the spam filtering stack not to flag the
> message too violently...
> This current behaviour is considered lenient enough. White listing could
> further be added for trusted domains if need be.
> h4. Handling correctly forwards emition
> We tackled the very same issue on the emition side: the goal was to improve
> james forwarded email deliverability.
> GIVEN [email protected] forwards its email to [email protected]
> WHEN [email protected] sends a mail to [email protected]
> THEN me.org would rewrite the MAIL FROM field and use [email protected] when
> forwarding to [email protected]
> Thus SPF check passes.
> See https://issues.apache.org/jira/browse/JAMES-3944
> h3. Proposed solution
> We could experiment turning off sender verification hop on MAIL FROM
> Instead we would verify the DKIM signature of the email before spooling it.
> That way:
> - We would have signed legitimate traffic forwarded back to us and would
> accept it
> !image-2024-04-26-12-14-35-358.png!
> - And we would still reject spoofing attempts as an attacker cant craft a
> DKIM signature.
> !image-2024-04-26-12-13-43-910.png!
> GIVEN that dkim signature of outgoing email is not setted up by default this
> behaviour shall be disabled by default.
> h3. Proposed changes
> Implement a VerifySenderIdentity SMTP message hook that:
> GIVEN an unauthenticated sender
> It performs a verification of non relaying (ie all rcpts are local)
> And would verify the DKIM signature of the mail.
> Path to the DKIM public key needs to be provided.
> This shall be contributed as part of the DKIM extention.
> h3. Additional concerns
> Given the Mail Exchange service (MX) and Mail Submission Agent (MSA) being
> collocated - the default james architecture,
> Then a common misconfiguration is not to configure TLS for SMTP and just have
> regular users just try to send mails unauthenticated through SMTP.
> This behaviour is classical from MacOS native client.
> Current `verifySenderIdentity` behavior rejects such misconfigured client
> from the MAIL FROM. Which is convenient. Fail fast:
> - The error is more explicit: AUthentication required
> - No message payload had been transfered.
> Ideally we would like to preserve this behaviour.
> The way to achieve this would be to have a "relaxed" mode to
> verifySenderIdentity instead of "strict" and "disabled"
> This relaxed mode would enforce the current behaviour if it determise the
> other party to be a MX. We can base ourselves on the structure of the EHLO
> sent: is this a valid domain?
> - If the heuristic determines this is a MX we accept the mail that would be
> dkim tested
> - if the heuristic fails, we reject the mail from this step as today as non
> MX clients are misconfigured local users.
> Note that classifying a local user (heuristic false positive) only delay the
> inevitable error: acceptable, and a heuristic false negative is no worse than
> the current issue described.
> The configuration of verifySenderIdentity would then accept the following
> value:
> - true. Unchanged existing option. Verify strictly the sender identity. Same
> as strict.
> - false. Unchanged existing option. Do not verify sender identity at all.
> Same as disabled.
> - strict. Verify strictly the sender identity. Same as true.
> - disabled. Verify strictly the sender identity. Same as false.
> - relaxed. Verify strictly the sender identity if the remote party is
> determined to not be a MX. Same as false. Further checks are required, like
> inspecting DKIM signing, in order to prevent spoofing.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
