james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Danny Angus" <da...@thought.co.uk>
Subject RE: javax.mail.Session access protection (part IV),
Date Tue, 12 Mar 2002 23:14:04 GMT

> First, thanx for your patience with me.

You're welcome!

> Yes I'm wrong with my assumption that you can hack (send email through)
> the JAMES default javax.mail.Session.


> Now I understand the problem. The SMTP specification specifies no
> authentication (user, password) mechanism. Therefore my application can
> send emails, without a valid authentication, over a SMTP server.
> A security hole? Therefore?

It is one reason that spam can be difficult to stop, but it doesn't
compromise anyones data.

> A SMTP server can be configured to allow\ignore SMTP "request" from
> machines. The default configuration of JAMES is to allow only SMTP
> "request" from the local machine.

Yes, correct.

> To make SMTP secure (for "remote request" and "local request") the SMTP
> AUTH specification was written.


> Now I'm on the right way?

Yes, but if you look in James' config.xml you will see this:

	<mailet match="RemoteAddrNotInNetwork=" class="ToProcessor">
            <processor> spam </processor>

You can add IP addresses to this to allow other machines to send mail out
from James.
EG: match="RemoteAddrNotInNetwork=, 192.168.0.*"
Similarly using SMTP AUTH James will only deliver mail to remote hosts when
you are Authorised.

James will accept SMTP connections from any host, so that mail can be
recieved from remote loactions and delivered to accounts on your local


To unsubscribe, e-mail:   <mailto:james-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:james-dev-help@jakarta.apache.org>

View raw message