Berin Loritsch wrote:
>
> ----- Original Message -----
> From: "Serge Knystautas" <[EMAIL PROTECTED]>
> To: "Java Apache Mail Server" <[EMAIL PROTECTED]>
> Sent: Thursday, October 19, 2000 8:03 AM
> Subject: Slight security hole
>
> > Is there anyway to configure Avalon (at least the branch we're using) so
> > that it doesn't expose to all IP addresses the "die!" command? Before I
> > realized this just now, someone could telnet into port 4554 on my mail
> > server machine, type die!, and the server dies. Fortunately I was on an OS
> > where I could restrict something like this, but this is a huge hole.
Yuk! Well spotted. Doesn't apply to James' Remote Manager on 4555.
> I completely agree. The purpose of that "functionality" is to provide a hook
> to do administration. Unfortunately, it has been left in. I am going to post
> this message to the Avalon group. and make sure that it can be done. If not
> in this version, then in the new 3.0 alpha release.
>
> > Unless there's a way to configure this, I'd like to patch the Avalon branch
> > we're on to only process connections that are from the local machine... I
> > just don't think we can allow the 1.2 release to go out like this. Any
> > strong comments against?
>
> Please do so. +1000
Do we use Avalon's remote manager at all - I don't think so, so you
could disable it completely.
Charles
PS Other than that, I think we're ready for release of James 1.2 -
Avalon guys are welcome to take it for a pre-release spin (uses old
avalon, though)
C
>
> ------------------------------------------------------------
> To subscribe: [EMAIL PROTECTED]
> To unsubscribe: [EMAIL PROTECTED]
> Archives: <http://www.mail-archive.com/james%40list.working-dogs.com/>
> Problems?: [EMAIL PROTECTED]
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Archives: <http://www.mail-archive.com/james%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
