[
https://issues.apache.org/jira/browse/JAMES-4171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18057579#comment-18057579
]
Benoit Tellier commented on JAMES-4171:
---------------------------------------
> Interesting, it means that the default configuration results in DSN sent by
> james for unauthenticated users.
No
Currently we mixes MX + Submission role
[email protected] is able to send an email to [email protected] using submission
port.
We generate currently no bounces for this (borderline) edge case: we just
accept it as if port 25 is used.
> shouldn't we create a handler
IMO this behaviour is a core capability that should be easily configurable and
not handled as an extension, which is less readable.
Not doing MX on submission port is a legacy behaviour that is clearly very
surprising in 2026.
> By sane behavior by default I mean reject non-authenticated users trying to
> relay to non local recipients at the SMTP layer.
This is already the case.
> People who want to do custom risky stuff would explicitly disable this
> handler and use mailetcontainer to do their stuff.
Currently my proposal.
> if we really go forward with adding an option to <auth/> it should not be a
> boolean but more something along the lines
We already have options for handling relay. Wether we allow auth or not
(auth.announce). So mixing concerns expressed elsewhere in the smtpserver.xml
configuration seems like a very bad idea to me.
IMO conf rework needs to preserve backward compatibility, and retain the
existing flexibility - which I confess is likely to be achieved at the cost of
more complexity.
If we really want to avoid the "boolean parameter" (common practice in James
conf anyway) the proposal could be:
{code:java}
<auth>
<mode>disabled | announced | announcedForUnauthorizedAddresses |
required</mode>
<auth/>
{code}
With:
- disabled: Like today auth.announce=never
- announced: Like today auth.anounce=always
- announcedForUnauthorizedAddresses: Like today
auth.anounce=forUnauthorizedAddresses
- required: auth.announce=always + auth.required=true
Opinion?
> Submission only server
> ----------------------
>
> Key: JAMES-4171
> URL: https://issues.apache.org/jira/browse/JAMES-4171
> Project: James Server
> Issue Type: Improvement
> Components: SMTPServer
> Reporter: Benoit Tellier
> Priority: Major
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> h3. Context
> I end up having to provide a submission only server for one of my customer.
> Problem: James bundles together the MX and submission role thus always accept
> email of remote users addressed to local users.
> This unorthodox behaviour is not a problem when combining both roles (though
> surprising!) however not being able to say "only authenticated users here"
> prevents implementing the aformentionned use case
> h3. Proposal
> Add auth.required configuration option in SMTP
> If true, then discard unauthenticated senders.
> This shall be the documented + recommended value however for
> retro-compatibility I propose to keep the legacy value as a default value.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
