Re: james SMTP authentication enforcement
Stefano:
Thanks! I tested the configuration and found that it works.
Maybe this method of spoofing users has been overlooked. Even if James has
SMTP turned on, I can impersonate any user of the server and send another user
an email without any authentication. In a way, it seems to be a security hole
open by default unless people apply your section of configuration.
This seems to be fairly easy to fix in source code. In SMTPHandler.java, the
condition of bouncing back error 530 during SMTP session goes like this:
if (authRequired) {
if (getUser() == null) {
String toDomain = recipientAddress.getHost();
if
(!theConfigData.getMailServer().isLocalServer(toDomain)) {
responseString = 530 Authentication Required;
writeLoggedFlushedResponse(responseString);
...
Now to close the hole, we need to add one more codition to give out error 530.
We just need to change the following line
if (!theConfigData.getMailServer().isLocalServer(toDomain))
to something like this:
if ( ( !theConfigData.getMailServer().isLocalServer(toDomain) )
|| theConfigData.getMailServer().isLocalServer(senderAddress.getHost())
As you pointed out that the SMTP authentication is not associated with sender
address in SMTP RFC, so I did suspect that this additional condition *might*
violate the RFC. However, I double-checked with RFC 2554. It seems actually
such checking is allowed. The wording for error 530 is actually fairly weak:
530 Authentication required
This response may be returned by any command other than AUTH, EHLO,
HELO, NOOP, RSET, or QUIT. It indicates that server policy requires
authentication in order to perform the requested action.
Well we check for recipient address in the first place. This checking is not
explicitly mentioned in the RFC either, but is just implicitly allowed. By the
same token, checking the sender address should be allowed too.
What do you think? Actually, are you a software developer on the James team?
How do I become one?
Ken
Stefano Bagnara [EMAIL PROTECTED] wrote: Ken Lin wrote:
Stefano:
Here is the actual scenario I try to prevent: Let's say I use james email
server at corporation xyz.com. A hacker/email worm program telnet to SMTP
port (inside or outside the corporate firewall), uses one of the employees'
email address as from address (say [EMAIL PROTECTED]), and sends another
employee an email. You can see how this is clearly dangerous because a
hacker/email worm can impersonate anybody in corporation.
As my server is configured now, it will allow this attack because (a)
IP-based authentication is unreliable at all because attacker or worm could
be inside or outside corporate firewall
(b) SMTP authentication is not required because RCPT TO address contains
@xyz.com
I would like to disable all relaying if both conditions are true:
* The from address contains @xyz.com
* The sender is not authenticated.
How can I achieve this goal?
currently mail will be sent to the transport processor when ready to
be sent.
You should create a new sendercheck processor in the process.
transport
error
(you can change the ToProcessor to
something else, or change the processor to your needs).
transport
Then you change the current calls to processor transport to calls to
the sendercheck processor.
Stefano
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
Yahoo! Mail
Bring photos to life! New PhotoMail makes sharing a breeze.
Re: james SMTP authentication enforcement
Ken Lin wrote: Maybe this method of spoofing users has been overlooked. Even if James has SMTP turned on, I can impersonate any user of the server and send another user an email without any authentication. In a way, it seems to be a security hole open by default unless people apply your section of configuration. You, anyway, will never stop people from using your email as sender address and send messages around the world. There are solutions to stop this behaviour (e.g. SPF) but not supported by all the SMTP server so I don't think that we can consider this thing a security hole in james. I'm not 100% sure, but I bet that most mail servers will not block messages with a from: containing a local domain to be relayd (even with authentication on). Well we check for recipient address in the first place. This checking is not explicitly mentioned in the RFC either, but is just implicitly allowed. By the same token, checking the sender address should be allowed too. You'd be not RFC compliant because you MUST accept a mail from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] even without authentication. I think that this is not specified in the RFC and is not even common practice for SMTP servers and we should not make it the default. Btw, if you want to write a patch to provide an option to enable this behaviour I'll try to review it. What do you think? Actually, are you a software developer on the James team? How do I become one? I'm a James committer. I've been proposed by other James committers one year ago after many months of support here in the list and after having submitted many patches to the issue tracker. Stefano - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: MimeMessage handling optimizations/changes for 2.3.0a2
- Original Message - From: Noel J. Bergman [EMAIL PROTECTED] To: James Developers List server-dev@james.apache.org Sent: Thursday, March 09, 2006 1:53 AM Subject: RE: MimeMessage handling optimizations/changes for 2.3.0a2 Markus Kühn wrote: Noel J. Bergman wrote: I'd be inclined to migrate to OSGi at such time as we consider moving. Are you currently involved in a OSGi project? We have several here at the ASF. Why do you ask? I wanted to know how accepted OSGi is. Markus - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[jira] Commented: (JAMES-124) Add the ability to kick the outgoing queue
[ http://issues.apache.org/jira/browse/JAMES-124?page=comments#action_12369626 ] Soren Hilmer commented on JAMES-124: I totally follow Noels view. We allready have something like this in the FromRepository mailet, where any mail received by this mailet, will trigger a re-spooling of mails in some repository. I do belive however that these control messages ought to be kept out of the normal mail flow. This will also make it easier to control who are allowed to inject such messages. Add the ability to kick the outgoing queue Key: JAMES-124 URL: http://issues.apache.org/jira/browse/JAMES-124 Project: James Type: New Feature Components: MailStore MailRepository Versions: 2.0a3, 2.1.3, 2.2.0 Environment: Operating System: All Platform: All Reporter: Jason Webb Priority: Minor It would be nice to be able to kick the outgoing queue to force the queue to deliver all it's pending mail. This is useful after a problem that affects all mail deliveries. On a related note the SMTP might also want to support ETRN as well if there anybody uses it anymore. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: james SMTP authentication enforcement
Stefano: Great to hear from your experience. It sounds a lot of effort to become a committer. Here is the open relay testing site that I used: http://www.abuse.net/relay.html This appears to be pretty popular as it showed up as the top link on google for mail relay test. My james server failed the test case I mentioned earlier in email (spoofing [EMAIL PROTECTED] to [EMAIL PROTECTED]). I went ahead and tested a few other ISP and corporation's email. It seems when SMTP authentication is not established, many directly reject any mail with sender containing the designated domain name. Here are the servers I tested that rejected all spoof: Mail ISP: Gmail: gsmtp183.google.com Hotmail: mf4100beta1.solinus.com Corporation email: Google.com: smtp1.google.com Amazon.com: smtp-fw-0101.amazon.com Microsoft.com: mailb.microsoft.com The test on Yahoo seems to have failed that it accepts a fake email from [EMAIL PROTECTED] to [EMAIL PROTECTED] However, it is possible that yahoo drops spoofed mails in spooling queue (like using the configuration similar to what you posted earlier). I need to confirm this later. (I can't do the spoofing testing at work at the moment because our corporate firewall blocks all outgoing port 25 access) Just to make sure that the code change won't violate the RFC, can you let me know the RFC number and section number that mandates any email from @xyz.com can be sent to [EMAIL PROTECTED] without SMTP authentication? I looked at the following two RFCs from the IETF site and couldn't find this mandate: SMTP RFC (821): http://www.ietf.org/rfc/rfc0821.txt SMTP authentication RFC (2554): http://www.ietf.org/rfc/rfc2554.txt Ken Stefano Bagnara [EMAIL PROTECTED] wrote: Ken Lin wrote: Maybe this method of spoofing users has been overlooked. Even if James has SMTP turned on, I can impersonate any user of the server and send another user an email without any authentication. In a way, it seems to be a security hole open by default unless people apply your section of configuration. You, anyway, will never stop people from using your email as sender address and send messages around the world. There are solutions to stop this behaviour (e.g. SPF) but not supported by all the SMTP server so I don't think that we can consider this thing a security hole in james. I'm not 100% sure, but I bet that most mail servers will not block messages with a from: containing a local domain to be relayd (even with authentication on). Well we check for recipient address in the first place. This checking is not explicitly mentioned in the RFC either, but is just implicitly allowed. By the same token, checking the sender address should be allowed too. You'd be not RFC compliant because you MUST accept a mail from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] even without authentication. I think that this is not specified in the RFC and is not even common practice for SMTP servers and we should not make it the default. Btw, if you want to write a patch to provide an option to enable this behaviour I'll try to review it. What do you think? Actually, are you a software developer on the James team? How do I become one? I'm a James committer. I've been proposed by other James committers one year ago after many months of support here in the list and after having submitted many patches to the issue tracker. Stefano - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Yahoo! Mail Bring photos to life! New PhotoMail makes sharing a breeze.
Re: james SMTP authentication enforcement
Ken Lin wrote: Stefano: I went ahead and tested a few other ISP and corporation's email. It seems when SMTP authentication is not established, many directly reject any mail with sender containing the designated domain name. Here are the servers I tested that rejected all spoof: Mail ISP: Gmail: gsmtp183.google.com I just sent a mail from one of my gmail account to another of my gmail account using their smtp server without authentication and I have been succesfull. You're probably missing something in the tests, or I don't understand what are you testing. [edentist][/var/log]$ telnet gsmtp163.google.com 25 Trying 64.233.163.27... Connected to gsmtp163.google.com. Escape character is '^]'. 220 mx.gmail.com ESMTP 38si1843438nzk ehlo pippo.com 250-mx.gmail.com at your service 250-SIZE 20971520 250-8BITMIME 250 ENHANCEDSTATUSCODES mail from: [EMAIL PROTECTED] 250 2.1.0 OK rcpt to: [EMAIL PROTECTED] 250 2.1.5 OK data 354 Go ahead Subject: test body . 250 2.0.0 OK 1141947204 38si1843438nzk quit 221 2.0.0 mx.gmail.com closing connection 38si1843438nzk Connection closed by foreign host. And I succesfully received the message. I don't test all the other servers because there is obviously a misunderstanding in this conversation. Just to make sure that the code change won't violate the RFC, can you let me know the RFC number and section number that mandates any email from @xyz.com can be sent to [EMAIL PROTECTED] without SMTP authentication? I looked at the following two RFCs from the IETF site and couldn't find this mandate: SMTP RFC (821): http://www.ietf.org/rfc/rfc0821.txt SMTP authentication RFC (2554): http://www.ietf.org/rfc/rfc2554.txt RFC 2821 - Simple Mail Transfer Protocol 4.5.1 Minimum Implementation Any system that includes an SMTP server supporting mail relaying or delivery MUST support the reserved mailbox postmaster as a case- insensitive local name.This postmaster address is not strictly necessary if the server always returns 554 on connection opening (as described in section 3.1). The requirement to accept mail for postmaster implies that RCPT commands which specify a mailbox for postmaster at any of the domains for which the SMTP server provides mail service, as well as the special case of RCPT TO:Postmaster (with no domain specification), MUST be supported. SMTP systems are expected to make every reasonable effort to accept mail directed to Postmaster from any other system on the Internet. In extreme cases --such as to contain a denial of service attack or other breach of security-- an SMTP server may block mail directed to Postmaster. However, such arrangements SHOULD be narrowly tailored so as to avoid blocking messages which are not part of such attacks. Stefano - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[jira] Updated: (JAMES-442) [TOOL] Stress Test Tool
[ http://issues.apache.org/jira/browse/JAMES-442?page=all ] Bernd Fondermann updated JAMES-442: --- Attachment: postage1.1.patch fix minor bugs. incremental patch. [TOOL] Stress Test Tool --- Key: JAMES-442 URL: http://issues.apache.org/jira/browse/JAMES-442 Project: James Type: New Feature Environment: Running James Server Reporter: Bernd Fondermann Priority: Minor Attachments: postage.zip, postage1.1.patch Attached a set of classes acting as a standalone stress test tool for James. As the package namespace I chose o.a.j.postage, the latter being the preliminary name for this tool. While being functional at least under James 2.2.0, all integrational aspects are not yet discussed, even if it is integrated into the codebase at all. It is intended as a first draft, a base for discussions. A howto is included. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: james SMTP authentication enforcement
Stefano: Thanks for pointing out. I was looking at the older version of the SMTP RFC. I will let you know once the code is ready. Ken Stefano Bagnara [EMAIL PROTECTED] wrote: Ken Lin wrote: Stefano: I went ahead and tested a few other ISP and corporation's email. It seems when SMTP authentication is not established, many directly reject any mail with sender containing the designated domain name. Here are the servers I tested that rejected all spoof: Mail ISP: Gmail: gsmtp183.google.com I just sent a mail from one of my gmail account to another of my gmail account using their smtp server without authentication and I have been succesfull. You're probably missing something in the tests, or I don't understand what are you testing. [edentist][/var/log]$ telnet gsmtp163.google.com 25 Trying 64.233.163.27... Connected to gsmtp163.google.com. Escape character is '^]'. 220 mx.gmail.com ESMTP 38si1843438nzk ehlo pippo.com 250-mx.gmail.com at your service 250-SIZE 20971520 250-8BITMIME 250 ENHANCEDSTATUSCODES mail from: 250 2.1.0 OK rcpt to: 250 2.1.5 OK data 354 Go ahead Subject: test body . 250 2.0.0 OK 1141947204 38si1843438nzk quit 221 2.0.0 mx.gmail.com closing connection 38si1843438nzk Connection closed by foreign host. And I succesfully received the message. I don't test all the other servers because there is obviously a misunderstanding in this conversation. Just to make sure that the code change won't violate the RFC, can you let me know the RFC number and section number that mandates any email from @xyz.com can be sent to [EMAIL PROTECTED] without SMTP authentication? I looked at the following two RFCs from the IETF site and couldn't find this mandate: SMTP RFC (821): http://www.ietf.org/rfc/rfc0821.txt SMTP authentication RFC (2554): http://www.ietf.org/rfc/rfc2554.txt RFC 2821 - Simple Mail Transfer Protocol 4.5.1 Minimum Implementation Any system that includes an SMTP server supporting mail relaying or delivery MUST support the reserved mailbox postmaster as a case- insensitive local name.This postmaster address is not strictly necessary if the server always returns 554 on connection opening (as described in section 3.1). The requirement to accept mail for postmaster implies that RCPT commands which specify a mailbox for postmaster at any of the domains for which the SMTP server provides mail service, as well as the special case of RCPT TO: (with no domain specification), MUST be supported. SMTP systems are expected to make every reasonable effort to accept mail directed to Postmaster from any other system on the Internet. In extreme cases --such as to contain a denial of service attack or other breach of security-- an SMTP server may block mail directed to Postmaster. However, such arrangements SHOULD be narrowly tailored so as to avoid blocking messages which are not part of such attacks. Stefano - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Yahoo! Mail Bring photos to life! New PhotoMail makes sharing a breeze.
Re: james SMTP authentication enforcement
It would not make any sence if the whould not accept the email.. Am Donnerstag, den 09.03.2006, 14:45 -0800 schrieb Ken Lin: Stefano: Great to hear from your experience. It sounds a lot of effort to become a committer. Here is the open relay testing site that I used: http://www.abuse.net/relay.html This appears to be pretty popular as it showed up as the top link on google for mail relay test. My james server failed the test case I mentioned earlier in email (spoofing [EMAIL PROTECTED] to [EMAIL PROTECTED]). I went ahead and tested a few other ISP and corporation's email. It seems when SMTP authentication is not established, many directly reject any mail with sender containing the designated domain name. Here are the servers I tested that rejected all spoof: Mail ISP: Gmail: gsmtp183.google.com Hotmail: mf4100beta1.solinus.com Corporation email: Google.com: smtp1.google.com Amazon.com: smtp-fw-0101.amazon.com Microsoft.com: mailb.microsoft.com The test on Yahoo seems to have failed that it accepts a fake email from [EMAIL PROTECTED] to [EMAIL PROTECTED] However, it is possible that yahoo drops spoofed mails in spooling queue (like using the configuration similar to what you posted earlier). I need to confirm this later. (I can't do the spoofing testing at work at the moment because our corporate firewall blocks all outgoing port 25 access) Just to make sure that the code change won't violate the RFC, can you let me know the RFC number and section number that mandates any email from @xyz.com can be sent to [EMAIL PROTECTED] without SMTP authentication? I looked at the following two RFCs from the IETF site and couldn't find this mandate: SMTP RFC (821): http://www.ietf.org/rfc/rfc0821.txt SMTP authentication RFC (2554): http://www.ietf.org/rfc/rfc2554.txt Ken Stefano Bagnara [EMAIL PROTECTED] wrote: Ken Lin wrote: Maybe this method of spoofing users has been overlooked. Even if James has SMTP turned on, I can impersonate any user of the server and send another user an email without any authentication. In a way, it seems to be a security hole open by default unless people apply your section of configuration. You, anyway, will never stop people from using your email as sender address and send messages around the world. There are solutions to stop this behaviour (e.g. SPF) but not supported by all the SMTP server so I don't think that we can consider this thing a security hole in james. I'm not 100% sure, but I bet that most mail servers will not block messages with a from: containing a local domain to be relayd (even with authentication on). Well we check for recipient address in the first place. This checking is not explicitly mentioned in the RFC either, but is just implicitly allowed. By the same token, checking the sender address should be allowed too. You'd be not RFC compliant because you MUST accept a mail from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] even without authentication. I think that this is not specified in the RFC and is not even common practice for SMTP servers and we should not make it the default. Btw, if you want to write a patch to provide an option to enable this behaviour I'll try to review it. What do you think? Actually, are you a software developer on the James team? How do I become one? I'm a James committer. I've been proposed by other James committers one year ago after many months of support here in the list and after having submitted many patches to the issue tracker. Stefano - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Yahoo! Mail Bring photos to life! New PhotoMail makes sharing a breeze. signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
mailet thats splits email
Hi,
i wrote a mailet thats split the email in single emails per recipient.
But sometimes i get this error for example:
We were unable to deliver the attached message because of an error in
the mail server.
Message details:
Subject: FAILED: AS29562
Sent date: Fri Mar 10 06:51:48 CET 2006
MAIL FROM: null
RCPT TO: [EMAIL PROTECTED]
From: RIPE Database Administration [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Size (in bytes): 2044
In the deadletter table is nothing usefull insert..
Anyone can give me a hint whats the problem ?
I attached the mailet.
bye
package org.apache.james.transport.mailets;
import org.apache.mailet.GenericMailet;
import org.apache.mailet.Mail;
import org.apache.mailet.MailAddress;
import javax.mail.MessagingException;
import javax.mail.internet.MimeMessage;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
/**
* Split the email for each recipient and pass it to a processor so we can process it later for each recip.
* This make it possible to use diffrent settings for each recip.
*
* Set the follow headers:
* X-Domain: domain.de
* X-User: [EMAIL PROTECTED]
*
* brbr
*
* Sample Configuration:
* brbr
* lt;mailet match=All class=SplitEmailgt;
* lt;processorgt;senderlt;/processorgt;
* lt;/mailetgt;
* brbr
* @author Norman Maurer [EMAIL PROTECTED]
*/
public class SplitEmail extends GenericMailet
{
protected String domain = null;
protected String user = null;
protected String excubatorState = sender;
private final String HEADER_USER= X-User;
private final String HEADER_DOMAIN = X-Domain;
public void init() throws MessagingException
{
String excubatorState = getInitParameter(processor);
if (excubatorState == null || excubatorState.equals())
{
excubatorState = sender;
}
}
/**
* split the email
*
* @param mail the mail being processed
*
* @throws MessagingException if an error occurs while splitting the mail
*/
public void service(Mail mail) throws MessagingException
{
Collection recipients = mail.getRecipients();
for (Iterator i = recipients.iterator(); i.hasNext();)
{
Mail newMail = mail;
MimeMessage message = newMail.getMessage();
MailAddress recipient = (MailAddress) i.next();
MailAddress sender = newMail.getSender();
user = recipient.toString().toLowerCase();
domain = recipient.getHost().toString().toLowerCase();
/*
* Set the right user for later using
*/
message.setHeader(HEADER_USER, user);
message.setHeader(HEADER_DOMAIN, domain);
message.saveChanges();
try
{
getMailetContext().sendMail(sender, Arrays.asList(new MailAddress[] { recipient }), message, excubatorState);
log(sender: + sender + | + recipient: + user);
}
catch (MessagingException ex)
{
log(Error while splitting mail., ex);
}
}
/*
* drop the orginal mail
*/
mail.setState(Mail.GHOST);
}
/**
* Return a string describing this mailet.
*
* @return a string describing this mailet
*/
public String getMailetInfo()
{
return SplitEmail Mailet;
}
}
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
