pablomelo / subethasmtp

Automatically exported from code.google.com/p/subethasmtp
Other
0 stars 0 forks source link

if authenticationHandlerFactory is configured, MAIL should not be allowed before AUTH #50

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
RT.

I hava implements a wrapper to fix it. I think this is a big problem.

Original issue reported on code.google.com by XmuF...@gmail.com on 6 Dec 2011 at 9:26

GoogleCodeExporter commented 9 years ago
I cannot reproduce this. 

If you set an authentication factory then the client is allowed to authenticate 
using the AUTH command, but SubEthaSMTP does not enforce it in any way. 

If you still think that setting the authentication factory has any effect on 
the MAIL command then please supplement this issue with at least the SMTP reply 
you received, or preferably a unit test.

Original comment by hontvari@flyordie.com on 7 Dec 2011 at 12:03

GoogleCodeExporter commented 9 years ago
sorry, I'm not skilled at E language.Maybe i did not deliver my opinion very 
much.

I mean  if a authFactory is configed, main cmd should not be available before 
auth cmd is executed.

telnet localhost 2566
> EHLO Five
220
> Mail From:<five@xmu.edu.cn>
503 

session upon is the scene I expect. 

Original comment by XmuF...@gmail.com on 7 Dec 2011 at 2:12

GoogleCodeExporter commented 9 years ago

Original comment by hontvari@flyordie.com on 7 Dec 2011 at 3:21

GoogleCodeExporter commented 9 years ago
The current behavior is somewhat unintuitive: setting an 
authenticationHandlerFactory does not cause the enforcement of authentication. 

On the other hand enforcing authentication indiscriminately is definitely 
wrong. For example it is a frequent requirement that senders from specific IP 
addresses must be considered as authenticated, or that anybody should be 
allowed to send mail to the local postmaster, or even more, to any local 
addresses, and only remote domains should require authentication (this is the 
way old SMTP servers work).

Indiscriminate enforcement can be an option. Maybe it is useful for simple 
cases, although I cannot imagine one. XmuFive, could you describe your use 
case? It may even be the default, if authenticationHandlerFactory is 
configured. That said, it would be an incompatible change.

Original comment by hontvari@flyordie.com on 7 Dec 2011 at 3:52

GoogleCodeExporter commented 9 years ago
I understand u, it seems that i have mess up my bussiness with a normal smtp 
server.

There are two different kind of smtp server. One is only for receiving mails 
which is just like subetha.3.1.7-SNAPSHOT. The other is something like 
smtp.qq.com which delivers mail to other smtp server for authenticated user.  

Obviously, I need the second kind. 

So, at last I add an attribute named requiredAuth for SMTPServer to custom 
subEtha.

where can i fix this issue? & very Thank u for your comment~ 

Original comment by XmuF...@gmail.com on 7 Dec 2011 at 5:58

GoogleCodeExporter commented 9 years ago
You do not need a custom SubEthaSMTP version. Just write something like 

  if (messageContext.getAuthenticationHandler() == null)
    throw new RejectException(530, "Authentication required");

in your MessageHandler.from() method, where messageContext is the object you 
received in you MessageHandlerFactory implementation.

Original comment by hontvari@flyordie.com on 7 Dec 2011 at 6:55

GoogleCodeExporter commented 9 years ago
e, it looks wiered.

I will still add an attribute named requiredAuth for SMTPServer  and implement 
this function at MailCommand.
it may looks like:
if (!sess.isAuthenticated() && sess.getSMTPServer().isRequiredAuth()) {
      sess.sendResponse("530 need EHLO and AUTH first !");
 }  

but if I do it this way, I can't easy update my subEtha when you deploy your 
new version. I think you gays can implement it this way too.  requiredAuth is 
an useful function to some gay like me.

Original comment by XmuF...@gmail.com on 7 Dec 2011 at 8:33

GoogleCodeExporter commented 9 years ago
I'm not sure if MailCommand is the right place to check it. I'm facing the same 
need to enforce auth and it seems quite natural to implement a command wrapper 
like RequireTLSCommandWrapper. With this wrapper we can easily satisfy RFC 4954:

"530 5.7.0  Authentication required

   This response SHOULD be returned by any command other than AUTH,
   EHLO, HELO, NOOP, RSET, or QUIT when server policy requires
   authentication in order to perform the requested action and
   authentication is not currently in force."

At the moment we can't configure if authentication should be ensorced (i.e. set 
server policy). Wrapper command + configuration option (like aforementioned 
requiredAuth) for the SMTPServer will do the trick. It could also be set as 
disabled by default for compatibily sake.
If this option is acceptable I can provide you with a patch, as I implemented 
it already for my project already.

Original comment by eugen...@gmail.com on 6 Jan 2013 at 8:43

GoogleCodeExporter commented 9 years ago
Yes, command wrapper and a configuration option which installs the wrapper 
seems to be the best solution, please send a patch.

Original comment by hontvari@flyordie.com on 7 Jan 2013 at 5:54

GoogleCodeExporter commented 9 years ago
Here it is

Original comment by eugen...@gmail.com on 7 Jan 2013 at 9:45

Attachments:

GoogleCodeExporter commented 9 years ago
Thanks for the patch, I applied it.

Original comment by hontvari@flyordie.com on 12 Mar 2013 at 12:25