Hi! Coming back from vacations, thus catch up is slow...
On 05/08/2019 20:54, Matt Pryor wrote: > Hi there > > In our smtpserver.xml config we have relaying to outside domains restricted > to two IP addresses with the authorizedAddresses tag. The authRequired tag > is still commented out as per the default, which from reading the comments > means that it's set to true (I think). The default is 'false': do not require authentication in order to receive other people emails. If setting this to false you will (for instance) no longer receive GMail mails. http://james.apache.org/server/config-smtp-lmtp.html contains a (lengthy?) explanation of this setting, which is also relatively explicit with https://github.com/apache/james-project/blob/master/server/app/src/main/resources/smtpserver.xml default configuration. Anyway, we may need to specify explicitly default value (what we do for newly written conf). > > Last week someone managed to guess the password for one of our mail > accounts on James (admittedly the password wasn't very secure, so lesson > learned there). After that they were able to use our mail server to relay > thousands and thousands of spam emails. Reinstalling everything and setting > the password to something more secure has stopped this for the time being > but it's not a long term solution. > > I wanted to check before going ahead that if I explicitly set authRequired > to false, will this prevent anyone from logging in using AUTH LOGIN? I am > hoping this will mean that only the IPs specified in authorizedAddresses > will be able to relay to the outside world and AUTH LOGIN will always fail > - I noticed that if I set it to false it still sends the prompt for a > username so wanted to check. To prevent logging, you can write a handler chain that do not contain the "AuthCmdHandler", which would of course be a good choice for a MX (dropping MTA capability) Look at "CoreCmdHandlerLoader" commodity handler for the exhaustive list. > > A bit more explanation of how these two work together would be really > great. It would also be nice to find a way to get rid of these persistent > attempts to log in: > > Id='-1423500801' User='' AUTH method LOGIN failed from bi...@xxxxxx.com@ > 92.118.38.50 > > (We get these about every 4 seconds, always from different IP addresses and > always trying different usernames). cryptearth suggestions are good for securing a MTA, nothing to add. > > Thanks in advance! > > Matt > > --------------------------------------------------------------------- To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
