[ http://issues.apache.org/jira/browse/JAMES-304?page=comments#action_12317896 ]
Ralf Hauser commented on JAMES-304: ----------------------------------- Unfortunately, this is only partially addressed by javamail 1.3.2: Yes, javamail now can do starttls and this can be set by the global "mail.smtp.starttls.enable" property, but 1) I don't see how I can specify in james-confix.xml that by default, james must attempt to do so. Unfortunately, this only affects the creation of a com.sun.mail.smtp.SMTPTransport, but if you need to instantiate a com.sun.mail.smtp.SMTPSSLTransport for legacy ssl-on-connnect on port 465 (e.g. lotus notes MUA), this is also not covered by a session property or alike. 2) also there is little support on how to decently deal with the predominant population of self-signed server certificates (http://security.zhwin.ch/infoweek.pdf - German) 3) also, there is no protection against an adversary downgrading the session-cipher to null or export-strength similar to JAMES-385 > secure remote delivery opportunistically or even allow make TLS mandatory > ------------------------------------------------------------------------- > > Key: JAMES-304 > URL: http://issues.apache.org/jira/browse/JAMES-304 > Project: James > Type: Improvement > Components: Remote Delivery > Versions: 2.1.3 > Environment: all - I use RH Linux 9 > Reporter: Ralf Hauser > Fix For: 3.0 > > It would be great to have james at least opportunistically attempt to secure > its user's outgoing mails with STARTTLS. > How would one do this? > 1) first a delivery-host must be found that can do this: > --> see http://tlstest.sf.net > The ch/zhwin/tlstest/TLSTestAPI.java.canDomainTLS() can do this (in v1.2) > 2) The real delivery still needs to be secured - unfortunately, so far, I > only see a broken idea how to do this in > http://www.portaljava.com/home/modules.php?name=Forums&file=viewtopic&p=20492 > anybody with better ideas (especially since there, they mess a lot with > system-wide properties, so I am afraid that afterwards, the secure pop and > smtp to MUA will no longer work) -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
