[ 
https://issues.apache.org/jira/browse/JAMES-3820?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17609897#comment-17609897
 ] 

ouvtam commented on JAMES-3820:
-------------------------------

> Can empty sender be used to relay emails with James while being 
>unauthenticated? (this would be bad, for sure... I am unsure such a corner 
>case is tested...)

As far as I know empty senders are allowed on bounces, so if you relayed a mail 
to next MTA and then you receive a bounce message from this MTA. The best you 
can do is generate an ephemeral bounce ID (e.g. store in redis) before relaying 
a mail. When a bounce happens you can check if the bounce ID exists and relay 
the bounce message. Otherwise reject the bounce.

> Maybe as an admin I would need an option to require a proper MAIL FROM 
> explicitly ?

I would be interested what you have seen in the wild so far when operating an 
MSA. Do you have any statistics about AUTH with/without MAIL FROM? According to 
RFC you start a SMTP session (including AUTH). Then you can do as many 
transactions as you want, each starting with a MAIL FROM.

Because being to strict can also hurt deliverability in the wild west of 
mailing :/

> DNS Blocklist: implement DNSRBLHandler as MailHook instead of RcptHook
> ----------------------------------------------------------------------
>
>                 Key: JAMES-3820
>                 URL: https://issues.apache.org/jira/browse/JAMES-3820
>             Project: James Server
>          Issue Type: Improvement
>          Components: SMTPServer
>            Reporter: ouvtam
>            Priority: Minor
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> At the moment the DNSRBL handler 
> (org.apache.james.protocols.smtp.core.fastfail.DNSRBLHandler) is implemented 
> as a RcptHook. Thus, for every RCPT TO call this handler will be called and a 
> blocklist lookup will be issued.
> One can argue It makes sense to implement the handler as a ConnectHandler, so 
> the blocklist check is done as early as possible. However, if SMTP AUTH is 
> successful then we should allow the connecting client anyway.
> Therefore it makes sense to implement the DNSRBL handler at MAIL FROM stage 
> that is MailHook. One exception is the following. According to [RFC 
> 4954|https://datatracker.ietf.org/doc/html/rfc4954#section-5], authentication 
> information can optionally provided as ESMTP AUTH parameter with a _single_ 
> value in the '{{{}MAIL FROM:{}}}' command.
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Reply via email to