james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Kaegi" <...@brainware.ch>
Subject Re: javax.mail.Session access protection (part IV),
Date Tue, 12 Mar 2002 14:05:27 GMT
Hi Serge and Danny

First, thanx for your patience with me. 
Yes I'm wrong with my assumption that you can hack (send email through) 
the JAMES default javax.mail.Session. 

Now I understand the problem. The SMTP specification specifies no 
authentication (user, password) mechanism. Therefore my application can 
send emails, without a valid authentication, over a SMTP server. 

A security hole? Therefore?

A SMTP server can be configured to allow\ignore SMTP "request" from 
machines. The default configuration of JAMES is to allow only SMTP 
"request" from the local machine. 

To make SMTP secure (for "remote request" and "local request") the SMTP 
AUTH specification was written. 

Now I'm on the right way? 

Thanx a lot?

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message