james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Serge Knystautas" <ser...@lokitech.com>
Subject Re: javax.mail.Session access protection (part IV),
Date Mon, 11 Mar 2002 18:03:29 GMT
Look, you are making a series of incredibly wrong assumptions that
demonstrate no understanding of SMTP or the JavaMail API.  Danny tried to
point out how this is wrong, but you seem to have ignored him.

Question: Why you can get the JAMES default javax.mail.Session without a
valid authentication? See JavaMail specification.

Answer:  There is nothing related to JAMES in your code.  You are sending a
message using SMTP, which requires no authentication.  You are not accessing
or using anything that's contained within JAMES.

Question: Why is the JAMES default javax.mail.Session not protected with
an authentication?


Answer:  There is nothing related to JAMES in your code.  You have not
gained access to an object within James.  You have no special
authentication, and do not require any authentication to instantiate an
object.  You are not accessing or using anything that's contained within
JAMES.

Question: Is this a JAMES Bug, Feature or?

Answer:  There is nothing related to JAMES in your code.  You are not
accessing or using anything that's contained within JAMES.

If you don't believe me, run your tests using Exchange, sendmail, and any
other mail server you want, and you will see the identical behavior.

Serge Knystautas
Loki Technologies - Unstoppable Websites
http://www.lokitech.com/
----- Original Message -----
From: "Michael Kaegi" <kam@brainware.ch>
To: <james-dev@jakarta.apache.org>
Sent: Monday, March 11, 2002 11:08 AM
Subject: RE: javax.mail.Session access protection (part IV),


... from scratch.


Test case:

It's the JAMES default javax.mail.Session secure? I think no!


Test environment:

OS: MS Windows 2000
JDK: 1.3
JAMES: James 2.0a2


Test description:

- Install and configure JAMES (only DNS must be set).
- Run JAMES.
- View JAMESMailSessionHackTest source code. No SMTP host, user or
password will be set to connect to the SMTP server (in our case JAMES).
Because no SMTP host is set the default will be used and this is
'localhost'.
- Run JAMESMailSessionHackTest as first argument you must specify an
recipient email address.
- Check if the recipient has received an email from 'jmsht@brainware.ch'
with the subject: 'JAMESMailSessionHackTest....!!!!!!!!!!!!!!!!!!!'. In my
case is it like that.


JAMESMailSessionHackTest source code:

import java.util.*;

import javax.mail.*;
import javax.mail.internet.*;

/**
 * This class gets the default mail session from JAMES
 * and sends an email to specified recipient.
 *
 * @author  Michael Kaegi (kam@brainware.ch)
 * @version 1.0
 */
public class JAMESMailSessionHackTest {

    private Session session;

    public static void main(String[] args) {

        JAMESMailSessionHackTest jt = new JAMESMailSessionHackTest();
        jt.getMailSession();
        jt.sendMail(args[0]);
    }

    private void getMailSession() {

        Properties props = new Properties();
        session = Session.getDefaultInstance(props, null);
    }

    private void sendMail(String recipient) {

        try {

            System.out.println("Session mail.smtp.host: " +
session.getProperty("mail.smtp.host"));
            System.out.println("Session mail.user: " +
session.getProperty("mail.user"));

            MimeMessage mm = new MimeMessage(session);
            mm.setFrom(new InternetAddress("jmsht@brainware.ch"));
            mm.addRecipient(Message.RecipientType.TO, new
InternetAddress(recipient));
 mm.setSubject("JAMESMailSessionHackTest....!!!!!!!!!!!!!!!!!!!");
            mm.setText("Suprise.");
            Transport.send(mm);

        } catch(Exception e) {

            System.out.println("Exception: ");
            System.out.println(e);
            e.printStackTrace();
        }
    }
}





Thanx ?

Bye
Michi


--
To unsubscribe, e-mail:   <mailto:james-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:james-dev-help@jakarta.apache.org>


Mime
View raw message