[jira] [Closed] (JAMES-4132) Incoming SMTP: limit header size

Mon, 15 Sep 2025 02:42:05 -0700 


     [ 
https://issues.apache.org/jira/browse/JAMES-4132?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Benoit Tellier closed JAMES-4132.
---------------------------------
    Resolution: Fixed

> Incoming SMTP: limit header size
> --------------------------------
>
>                 Key: JAMES-4132
>                 URL: https://issues.apache.org/jira/browse/JAMES-4132
>             Project: James Server
>          Issue Type: Improvement
>          Components: SMTPServer
>    Affects Versions: master
>            Reporter: Benoit Tellier
>            Priority: Major
>             Fix For: 3.9.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> h3. Context
> The processing of large amounts of header is known to cause prolems in the 
> mail community
> CF https://www.cve.org/CVERecord?id=CVE-2024-23184
> Processing 500.000 headers can result in 32s delays in earlier versions of 
> Dovecot.
> Apache james do not limit header size prior processing. 
> Apache James is significantly more efficient handling large amounts of header 
> and we were able to process 10MB emails of only headers in a subsecond 
> fashion.
> Yet offering options for limiting received header sizes would be an 
> appreciable feature.
> h3. How ?
> I would like the James project to ship tools to enforce protective measures 
> and be able to enforce a configurable maximim size of headers of incoming 
> emails. Say 64KB. We can also limit the count of headers. 500 seems like a 
> common practice.
> I propose to implement a EnforceHeaderLimitationsMessageHook implementing 
> JamesMessageHook within 
> server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver.
> Example setup:
> {code:java}
> <smtpservers>
>     <smtpserver enabled="true">
>         <handlerchain>
>             <handler 
> class="org.apache.james.smtpserver.EnforceHeaderLimitationsMessageHook">
>                 <maxLines>500</maxLines>
>                 <maxSize>64KB</maxSize>
>             </handler>
>             <handler 
> class="org.apache.james.smtpserver.CoreCmdHandlerLoader"/>
>         </handlerchain>
>     </smtpserver>
> </smtpservers>
> {code}
> Iterate all header lines and verify the two aforementionned limits.
> If not exceeded DECLINE will allow keep processing the mail.
> If exceeded reject the mail:
> {code:java}
> 552 Too many header lines
> 552 Header size too large
> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Reply via email to