Even if you have a server that only is accepting SMTH AUTH, it's still best practices to accept "MAIL FROM: <>" messages (i.e., you can't just disable that). That said, messages with a null sender should not leave your server, so I think it's either a conf issue or a bug in some matcher that isn't probably capturing that and preventing the relaying.
Serge Knystautas Loki Technologies http://www.lokitech.com/ ----- Original Message ----- From: "Peter M. Goldstein" <[EMAIL PROTECTED]> To: "'James Developers List'" <[EMAIL PROTECTED]> Sent: Monday, July 29, 2002 8:21 PM Subject: FW: Open relay with SMTP-AUTH > > All, > > I've just confirmed this on the latest code base. The cause is pretty > obvious - there is a comment in SMTPHandler.java: > > // If this is a delivery failure notification (MAIL FROM: > <>) > // we don't enforce authentication > if (authRequired && state.get(SENDER) != null) { > > Removing the (state.get(SENDER) != null) clause closes the open relay. > > But can anyone clarify the comment? Is this comment referring to > messages being generated by the James server in response to local > delivery failures? Clearly the code as it stands in insecure... > > --Peter > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: None > To: [EMAIL PROTECTED] > Subject: Open relay with SMTP-AUTH > > > Hello > > I think I found a bug when using SMTP-AUTH > > if you enable smtp-auth and sends a <> as the sender > the servers allows the relay of any message, if you > specify a correct email address the server enforces the authentication > > I created a patch for this, is there any other solution? > > following a session that shows the problem > > Trying XXXXXX... > Connected to XXXXXXXXX. > Escape character is '^]'. > 220 myMailServer SMTP Server (JAMES SMTP Server 2.0a3-cvs) ready Mon, 29 > Jul 2002 20:31:04 -0400 > helo test > 250-myMailServer Hello test (XXXXXXX) > 250 AUTH LOGIN PLAIN > mail from: <> > 250 Sender <> OK > rcpt to: <[EMAIL PROTECTED]> > 250 Recipient <[EMAIL PROTECTED]> OK > ..... > > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>