james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ken Lin <kennethlin2...@yahoo.com>
Subject Re: james SMTP authentication enforcement
Date Thu, 09 Mar 2006 09:02:25 GMT
Stefano:
 
 Thanks! I tested the configuration and found that it works.
 
 Maybe this method of "spoofing" users has been overlooked. Even if James has SMTP turned
on, I can impersonate any user of the server and send another user an email without any authentication.
In a way, it seems to be a security hole open by default unless people apply your section
of configuration.
 
 This seems to be fairly easy to fix in source code. In SMTPHandler.java, the condition of
bouncing back error 530 during SMTP session goes like this:
             if (authRequired) {
                 if (getUser() == null) {
                     String toDomain = recipientAddress.getHost();
                     if (!theConfigData.getMailServer().isLocalServer(toDomain)) {
                         responseString = "530 Authentication Required";
                         writeLoggedFlushedResponse(responseString);
                         ... 
 Now to close the hole, we need to add one more codition to give out error 530. We just need
to change the following line
   if (!theConfigData.getMailServer().isLocalServer(toDomain))
 to something like this:
   if (  ( !theConfigData.getMailServer().isLocalServer(toDomain)  ) 
     || theConfigData.getMailServer().isLocalServer(senderAddress.getHost())
 
 As you pointed out that the SMTP authentication is not associated with sender address in
SMTP RFC, so I did suspect that this additional condition *might* violate the RFC. However,
I double-checked with RFC 2554. It seems actually such checking is allowed. The wording for
error 530 is actually fairly weak:
 
    530 Authentication required
 
    This response may be returned by any command other than AUTH, EHLO,
    HELO, NOOP, RSET, or QUIT.  It indicates that server policy requires
    authentication in order to perform the requested action.
 
 Well we check for recipient address in the first place. This checking is not explicitly mentioned
in the RFC either, but is just implicitly allowed. By the same token, checking the sender
address should be allowed too.
 
 What do you think? Actually, are you a software developer on the James team? How do I become
one?
 
 Ken
 
Stefano Bagnara <apache@bago.org> wrote: Ken Lin wrote:
> Stefano:
>   
> Here is the actual scenario I try to prevent: Let's say I use james email server at corporation
xyz.com. A hacker/email worm program telnet to SMTP port (inside or outside the corporate
firewall), uses one of the employees' email address as "from" address (say admin@xyz.com),
and sends another employee an email. You can see how this is clearly dangerous because a hacker/email
worm can impersonate anybody in corporation.
>   
> As my server is configured now, it will allow this attack because (a) IP-based authentication
is unreliable at all because attacker or worm could be inside or outside corporate firewall
>   (b) SMTP authentication is not required because RCPT TO address contains "@xyz.com"
>   
>   I would like to disable all relaying if both conditions are true:
>   * The "from" address contains @xyz.com
>   * The sender is not authenticated.
>   
>   How can I achieve this goal?


currently mail will be sent to the "transport" processor when ready to 
be sent.
You should create a new "sendercheck" processor in the process.





transport




error
  (you can change the ToProcessor to 
something else, or change the processor to your needs).



transport





Then you change the current calls to processor "transport" to calls to 
the "sendercheck" processor.

Stefano


---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org



		
---------------------------------
Yahoo! Mail
Bring photos to life! New PhotoMail  makes sharing a breeze. 
Mime
  • Unnamed multipart/alternative (inline, 8-Bit, 0 bytes)
View raw message