Hi Guys,
I’ve managed to get partway through writing up a solution by modifying the
dispatchCommandHandlers method in the CommandDispatcher class.
This modification requires TLS for all connections once the connecting client
has established a connection state i.e. EHLO/HELO, if a client doesn't’ send
STARTTLS and stand up a valid SSL connection a 530 response is returned.
This solution isn’t ideal and needs further development:
1) A way to define which servers to require TLS for (Similar to
authorizedAddresses map?)
2) Support for IMAP,POP (This will only work for SMTP?)
3) Stop AUTH field in the server reply from being sent prior to a TLS
connection has been started
private static final Response TLS_REQUIRED = new SMTPResponse("530", "5.7.0
Must issue a STARTTLS command first").immutable();
@Override
protected Response dispatchCommandHandlers(ProtocolSession session, Request
request) {
Object ehloState = session.getAttachment(SMTPSession.CURRENT_HELO_MODE,
ProtocolSession.State.Connection);
//if the ehloState is established, TLS has NOT been started and the
next command is not STARTTLS then reject user
if (ehloState != null && !session.isTLSStarted() &&
!"STARTTLS".equalsIgnoreCase(request.getCommand())) {
return TLS_REQUIRED;
} else {
return super.dispatchCommandHandlers(session, request);
}
}
Kind regards,
Johnny Minty
From: Phillip Odam
Sent: Wednesday, 31 July 2013 1:32 a.m.
To: James Users List
Trouble with a fastfail hook is that it means the client has sent the
username and password in the clear for the hook to activate.
On 7/30/13 2:09 AM, Jan-Philipp Hülshoff wrote:
> What about doing it with a Hook for fastfail?
> This hook fails the mail command if it is not authenticated. you could
> also use the session.isTLSStarted() or session.isRelayingAllowed().
>
> I'm using that hook on a second SMTP Server on port 465 to force
> everyone to login.
>
>
> public class AuthenticatedSMTPOnlyHandler implements MailHook {
>
> public AuthenticatedSMTPOnlyHandler(){
>
> }
>
> @Override
> public HookResult doMail(SMTPSession session,
> MailAddress adress) {
> //session.isTLSStarted()
> //session.isRelayingAllowed()
> if (session.getUser() == null){
> return new HookResult(
> HookReturnCode.DENY,
> SMTPRetCode.AUTH_REQUIRED,
> DSNStatus.getStatus(
> DSNStatus.PERMANENT,
> DSNStatus.SECURITY_AUTH+
> " Authentication is required."));
> }
> if(session.getUser().trim().length() == 0){
> return new HookResult(
> HookReturnCode.DENY,
> SMTPRetCode.AUTH_REQUIRED,
> DSNStatus.getStatus(
> DSNStatus.PERMANENT,
> DSNStatus.SECURITY_AUTH+
> " Authentication is required."));
> }
> return HookResult.ok();
> }
> }
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
> For additional commands, e-mail: server-user-h...@james.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
For additional commands, e-mail: server-user-h...@james.apache.org
