[jira] [Created] (JAMES-4132) Incoming SMTP: limit header size

Fri, 16 May 2025 07:10:06 -0700 

Benoit Tellier created JAMES-4132:
-------------------------------------

             Summary: Incoming SMTP: limit header size
                 Key: JAMES-4132
                 URL: https://issues.apache.org/jira/browse/JAMES-4132
             Project: James Server
          Issue Type: Improvement
          Components: SMTPServer
    Affects Versions: master
            Reporter: Benoit Tellier
             Fix For: 3.9.0


h3. Context

The processing of large amounts of header is known to cause prolems in the mail 
community

CF https://www.cve.org/CVERecord?id=CVE-2024-23184

Processing 500.000 headers can result in 32s delays in earlier versions of 
Dovecot.

Apache james do not limit header size prior processing. 

Apache James is significantly more efficient handling large amounts of header 
and we were able to process 10MB emails of only headers in a subsecond fashion.

Yet offering options for limiting received header sizes would be an appreciable 
feature.

h3. How ?

I would like the James project to ship tools to enforce protective measures and 
be able to enforce a configurable maximim size of headers of incoming emails. 
Say 64KB. We can also limit the count of headers. 500 seems like a common 
practice.

I propose to implement a EnforceHeaderLimitationsMessageHook implementing 
JamesMessageHook within 
server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver.

Example setup:

{code:java}
<smtpservers>
    <smtpserver enabled="true">
        <handlerchain>
            <handler 
class="org.apache.james.smtpserver.EnforceHeaderLimitationsMessageHook">
                <maxLines>500</maxLines>
                <maxSize>64KB</maxSize>
            </handler>
            <handler class="org.apache.james.smtpserver.CoreCmdHandlerLoader"/>
        </handlerchain>
    </smtpserver>
</smtpservers>
{code}

Iterate all header lines and verify the two aforementionned limits.

If not exceeded DECLINE will allow keep processing the mail.

If exceeded reject the mail:

{code:java}
552 Too many header lines
552 Header size too large
{code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Reply via email to