james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vincenzo Gianferrari Pini <vincenzo.gianferrarip...@praxis.it>
Subject Re: POP3 and other handlers ...
Date Mon, 24 Jul 2006 08:21:50 GMT
After reading this thread, IMHO (not IMO) Juergen, Norman and Stefano 
are right.

I would simply put a *strong* comment in config.xml stating that SMTP 
AUTH is much safer and the way to go, but give the feature possibly with 
the ip vs{ ip,id}options choice.

BTW, I would put SMTP AUTH "anounce" as the default in config.xml, with 
proper comments.

Vincenzo

Stefano Bagnara wrote:

> Noel J. Bergman wrote:
>
>> Something more important: I am -1 on the current code.  The technical
>> justification for vetoing this change is that we are tracking only 
>> the IP
>> address.  One person on a non-routable subnet authenticates via POP3 or
>> IMAP, and everyone else going through the same gateway router gets to 
>> use
>> the now Open Relay?  Better would to be to maintain {ID, IP}-tuples.
>> Although that would be more difficult, or perhaps less useful, in 
>> virtual
>> user table situations, since the POP3 USER and the SMTP MAIL FROM 
>> would be
>> different, it would be better than creating Open Relays; especially Open
>> Relays in a way that most admins would find every difficult to track 
>> down,
>> and which most Open Relay probes would not detect.
>> [...]
>> Remember that you need not revert the commits at this time, but 
>> unless we
>> find a resolution to the vulnerability or someone shows me the error 
>> of my
>> assertion, we are not releasing this code.
>
>
> I don't agree.
>
> Using our config.xml administrators can even break rfc compliance, 
> they can remove whole commands, and can add vulnerability.
>
> It is really simply to create an open relay with a single line change.
> We should simply add the feature and a good comment on what it really 
> does.
>
> What I would expect from my previous knowledge from a pop-before-smtp 
> is that it only checks IPs.
>
> Maybe we can add a configuration to the handler to decide wether to 
> check {ip,id} tuples or ip only, but I think that IP only will be the 
> one used.
>
> Stefano
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
> For additional commands, e-mail: server-dev-help@james.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message