[ 
https://issues.apache.org/jira/browse/JAMES-4171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18057576#comment-18057576
 ] 

Jean Helou commented on JAMES-4171:
-----------------------------------

Interesting, it means that the default configuration results in DSN sent by 
james for unauthenticated users. I was unaware of this particular behavior, 
never thought to actually check it.
It means I could impersonate anyone and flood their inbox with DSNs by 
pretending to be someone I'm not trying to relay through a james instance. 

instead of changing the <auth> section, shouldn't we create a handler, applied 
by default which applies a sane behavior by default and can be configured to be 
even stricter ? 
By sane behavior by default I mean reject non-authenticated users trying to 
relay to non local recipients at the SMTP layer.  
The handler would have a flag to completely disallow unauthenticated traffic. 

People who want to do custom risky stuff would explicitly disable this handler 
and use mailetcontainer to do their stuff

> Submission only server
> ----------------------
>
>                 Key: JAMES-4171
>                 URL: https://issues.apache.org/jira/browse/JAMES-4171
>             Project: James Server
>          Issue Type: Improvement
>          Components: SMTPServer
>            Reporter: Benoit Tellier
>            Priority: Major
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> h3. Context 
> I end up having to provide a submission only server for one of my customer.
> Problem: James bundles together the MX and submission role thus always accept 
> email of remote users addressed to local users.
> This unorthodox behaviour is not a problem when combining both roles (though 
> surprising!) however not being able to say "only authenticated users here" 
> prevents implementing the aformentionned use case
> h3. Proposal
> Add auth.required configuration option in SMTP
> If true, then discard unauthenticated senders.
> This shall be the documented + recommended value however for 
> retro-compatibility I propose to keep the legacy value as a default value.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to