james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ralf Hauser (JIRA)" <server-...@james.apache.org>
Subject [jira] Commented: (JAMES-304) secure remote delivery opportunistically or even allow make TLS mandatory
Date Sun, 07 Aug 2005 07:27:36 GMT
    [ http://issues.apache.org/jira/browse/JAMES-304?page=comments#action_12317896 ] 

Ralf Hauser commented on JAMES-304:

Unfortunately, this is only partially addressed by javamail 1.3.2:

Yes, javamail now can do starttls and this can be set by the global "mail.smtp.starttls.enable"
property, but
1) I don't see how I can specify in james-confix.xml that by default, james must attempt to
do so. Unfortunately, this only affects the creation of a com.sun.mail.smtp.SMTPTransport,
but if you need to instantiate a com.sun.mail.smtp.SMTPSSLTransport
 for legacy ssl-on-connnect on port 465 (e.g. lotus notes MUA), this is also not covered by
a session property or alike.
2) also there is little support on how to decently deal with the predominant population of
self-signed server certificates  (http://security.zhwin.ch/infoweek.pdf - German)
3) also, there is no protection against an adversary downgrading the session-cipher to null
or export-strength similar to JAMES-385

> secure remote delivery opportunistically or even allow make TLS mandatory
> -------------------------------------------------------------------------
>          Key: JAMES-304
>          URL: http://issues.apache.org/jira/browse/JAMES-304
>      Project: James
>         Type: Improvement
>   Components: Remote Delivery
>     Versions: 2.1.3
>  Environment: all - I use RH Linux 9
>     Reporter: Ralf Hauser
>      Fix For: 3.0

> It would be great to have james at least opportunistically attempt to secure its user's
outgoing mails with STARTTLS.
> How would one do this?
> 1) first a delivery-host must be found that can do this:
>    --> see http://tlstest.sf.net
>    The ch/zhwin/tlstest/TLSTestAPI.java.canDomainTLS() can do this (in v1.2)
> 2) The real delivery still needs to be secured - unfortunately, so far, I only see a
broken idea how to do this in http://www.portaljava.com/home/modules.php?name=Forums&file=viewtopic&p=20492
> anybody with better ideas (especially since there, they mess a lot with system-wide properties,
so I am afraid that afterwards, the secure pop and smtp to MUA will no longer work)

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org

View raw message