james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Norman Maurer ...@byteaction.de>
Subject Re: james SMTP authentication enforcement
Date Fri, 10 Mar 2006 07:10:33 GMT
It would not make any sence if the whould not accept the email..


Am Donnerstag, den 09.03.2006, 14:45 -0800 schrieb Ken Lin:
> Stefano:
>     
>     Great to hear from your experience. It sounds a lot of effort to become a committer.
>   
>     Here is the open relay testing site that I used:
>     http://www.abuse.net/relay.html
>   This appears to be pretty popular as it showed up as the top link on  google for "mail
relay test". My james server failed the test case I  mentioned earlier in email (spoofing
...@xyz.com to ...@xyz.com).
>   
>   I went ahead and  tested a few other ISP and corporation's email. It seems when SMTP
 authentication is not established, many directly reject any mail with  sender containing
the designated domain name. Here are the servers I  tested that rejected all spoof:
>     
>     Mail ISP:
>     Gmail: gsmtp183.google.com
>   Hotmail: mf4100beta1.solinus.com
>     
>     Corporation email:
>     Google.com: smtp1.google.com
>     Amazon.com: smtp-fw-0101.amazon.com
>     Microsoft.com: mailb.microsoft.com
> 
>   The test on Yahoo seems to have failed that it accepts a "fake" email  from ...@yahoo.com
to ...@yahoo.com. However, it is possible that yahoo  "drops" spoofed mails in spooling queue
(like using the configuration  similar to what you posted earlier). I need to confirm this
later. (I  can't do the spoofing testing at work at the moment because our  corporate firewall
blocks all outgoing port 25 access)
>   
>   Just to make sure that the code change won't violate the RFC, can you  let me know
the RFC number and section number that mandates any email  from @xyz.com can be sent to postmaster@xyz.com
without SMTP  authentication? I looked at the following two RFCs from the IETF site  and couldn't
find this mandate:
>   SMTP RFC (821): http://www.ietf.org/rfc/rfc0821.txt
>   SMTP authentication RFC (2554): http://www.ietf.org/rfc/rfc2554.txt
>   
>   Ken
>   
> Stefano Bagnara <apache@bago.org> wrote:  Ken Lin wrote:
> >  Maybe this method of "spoofing" users has been overlooked. Even if  James has SMTP
turned on, I can impersonate any user of the server and  send another user an email without
any authentication. In a way, it  seems to be a security hole open by default unless people
apply your  section of configuration.
> 
> You, anyway, will never stop people from using your email as sender 
> address and send messages around the world. There are solutions to stop 
> this behaviour (e.g. SPF) but not supported by all the SMTP server so I 
> don't think that we can consider this thing a "security hole" in james.
> I'm not 100% sure, but I bet that most mail servers will not block 
> messages with a "from:" containing a local domain to be relayd (even 
> with authentication on).
> 
> >  Well we check for recipient address in the first place. This checking  is not explicitly
mentioned in the RFC either, but is just implicitly  allowed. By the same token, checking
the sender address should be  allowed too.
> 
> You'd be not RFC compliant because you MUST accept a mail "from: 
> xxx@xyz.com" "to: postmaster@xyz.com" even without authentication.
> 
> I think that this is not specified in the RFC and is not even common 
> practice for SMTP servers and we should not make it the default.
> Btw, if you want to write a patch to provide an option to enable this 
> behaviour I'll try to review it.
> 
> >  What do you think? Actually, are you a software developer on the James team? How
do I become one?
> 
> I'm a James committer. I've been "proposed" by other James committers 
> one year ago after many months of support here in the list and after 
> having submitted many patches to the issue tracker.
> 
> Stefano
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
> For additional commands, e-mail: server-dev-help@james.apache.org
> 
> 
> 
> 		
> ---------------------------------
> Yahoo! Mail
> Bring photos to life! New PhotoMail  makes sharing a breeze. 

Mime
View raw message