james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ralf Hauser (JIRA)" <server-...@james.apache.org>
Subject [jira] Commented: (JAMES-304) secure remote delivery opportunistically or even allow make TLS mandatory
Date Sun, 07 Aug 2005 07:27:36 GMT
    [ http://issues.apache.org/jira/browse/JAMES-304?page=comments#action_12317896 ] 

Ralf Hauser commented on JAMES-304:
-----------------------------------

Unfortunately, this is only partially addressed by javamail 1.3.2:

Yes, javamail now can do starttls and this can be set by the global "mail.smtp.starttls.enable"
property, but
1) I don't see how I can specify in james-confix.xml that by default, james must attempt to
do so. Unfortunately, this only affects the creation of a com.sun.mail.smtp.SMTPTransport,
but if you need to instantiate a com.sun.mail.smtp.SMTPSSLTransport
 for legacy ssl-on-connnect on port 465 (e.g. lotus notes MUA), this is also not covered by
a session property or alike.
2) also there is little support on how to decently deal with the predominant population of
self-signed server certificates  (http://security.zhwin.ch/infoweek.pdf - German)
3) also, there is no protection against an adversary downgrading the session-cipher to null
or export-strength similar to JAMES-385

> secure remote delivery opportunistically or even allow make TLS mandatory
> -------------------------------------------------------------------------
>
>          Key: JAMES-304
>          URL: http://issues.apache.org/jira/browse/JAMES-304
>      Project: James
>         Type: Improvement
>   Components: Remote Delivery
>     Versions: 2.1.3
>  Environment: all - I use RH Linux 9
>     Reporter: Ralf Hauser
>      Fix For: 3.0

>
> It would be great to have james at least opportunistically attempt to secure its user's
outgoing mails with STARTTLS.
> How would one do this?
> 1) first a delivery-host must be found that can do this:
>    --> see http://tlstest.sf.net
>    The ch/zhwin/tlstest/TLSTestAPI.java.canDomainTLS() can do this (in v1.2)
> 2) The real delivery still needs to be secured - unfortunately, so far, I only see a
broken idea how to do this in http://www.portaljava.com/home/modules.php?name=Forums&file=viewtopic&p=20492
> anybody with better ideas (especially since there, they mess a lot with system-wide properties,
so I am afraid that afterwards, the secure pop and smtp to MUA will no longer work)

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message