james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bernd Fondermann <bernd.fonderm...@googlemail.com>
Subject Re: About default security and windows (JMX)
Date Wed, 03 Nov 2010 08:33:48 GMT
On Tue, Nov 2, 2010 at 21:51, Eric Charles <eric@apache.org> wrote:
> Hi,
>
> I don't know if java or windows is to blame for the jmx.password stuff, but
> if we leave it as now, users will blame james...
> I'm with Stefano on the need to have a working james without changing
> anything.
>
> The idea was to replace the remotemanager with a command line tool ('james
> adduser...',...) that would access jmx .
> If we disable jmx, the cli commands will not work.
>
> I googled a bit to find a workaround, but they all say to change file
> permission.
> I also looked at SSL security
> (http://download.oracle.com/javase/1.5.0/docs/guide/management/agent.html#SSL_enabled),
> but I don't get it completely, especially the SSL authentication.
>
> I see for now 3 options:
> 1.- Disable jmx -> Oblige user to change spring-beans.xml to enable it, no
> cli management.
> 2.- Enable jmx wide-open (no username/pwd) -> not really secured for a
> professional solution
> 3.- Enable jmx with username/pwd -> we know the consequences.
>
> Option 2 may be the less bad (more user friendly) and we could stress on doc
> to enable username/pwd.

The problem with JMX is, that it's of no use when you lock your
headless DC JAMES server down and SSH into the machine.
While I was strong pro-JMX some years ago, I now think a proper
command line (see Hadoop, Geronimo) is great, a webbased admin tool is
great, too.
JMX is nice to have and I would never open JMX for remote access on my servers.

That said I'm +1 for binding JMX to the localhosts only.

  Bernd

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message