[
https://issues.apache.org/jira/browse/JAMES-3579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17343772#comment-17343772
]
René Cordier commented on JAMES-3579:
-------------------------------------
https://github.com/apache/james-project/pull/425
> verifyIdentity param should be rejected if authRequired is set to false in
> SMTP configuration
> ---------------------------------------------------------------------------------------------
>
> Key: JAMES-3579
> URL: https://issues.apache.org/jira/browse/JAMES-3579
> Project: James Server
> Issue Type: Bug
> Components: SMTPServer
> Reporter: René Cordier
> Priority: Minor
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> According to the smtp conf documentation
> https://james.apache.org/server/config-smtp-lmtp.html:
> "handler.verifyIdentity
> This is an optional tag with a boolean body. This option can only be used if
> SMTP authentication is required. If the parameter is set to true then the
> sender address for the submitted message will be verified against the
> authenticated subject. Verify sender addresses, ensuring that the sender
> address matches the user who has authenticated. It will verify that the
> sender address matches the address of the user or one of its alias (from user
> or domain aliases). This prevents a user of your mail server from acting as
> someone else If unspecified, default value is true."
> However, it has been observed that when authRequired is set to false in
> smtpserver.xml, if verifyIdentity is set to true, the SMTP server is
> expecting that the user is authenticated to be able to verify its identity.
> To stick to the documentation of James, we should reject this case on James
> startup.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
