i wound up actually adding the code to SMTPProtocolInstance.handleAuth, to take into account the case where an unauthenticated user can send email anywhere as long as his end of the socket is a local address --- and added a new state variable to SMTPProtocolInstance to support that. also added code to allow unauthenticated mail to any domain in known domain group, which i think should also handle the case of the server acting as a legitimate relay or secondary server (i.e., when there are multiple dns MX records). unfortunately, i still can't get the junit tests to run to check all this, but at least they still compile, and my manual tests seem to validate at least the aspects of behaviour i'm aware of.

if someone wants to run some security tests on this and report back on how i actually screwed things up, i'll be glad to go in and fix my mistakes!

mike

maybe i screwed things up --- sorry --- but hopefully we'll have a whole suite of unit tests to screen this sort of security behaviour if we don't already have them.

but i definitely noticed two aspects of behaviour that didn't make sense to me in code from before this last weekend, when i did a few things including modify this security behaviour a bit:

1. if i connect to the server from a remote machine, do a 'helo xoba.com', then 'mail from:<acoliver@badmojo>', then a 'rcpt to:<test@yahoo.com>'. it actually goes ahead and tries to send the mail to yahoo --- i think this is open-relay behaviour (since i connected from a remote host), even though one needs to forge a known domain using '....@badmojo'. changing the mail-from to 'mail from:<acoliver@abcd>' confirms that it denies relaying to unknown senders' domains. i added some checks in the code to prevent the relaying, by keeping track of the client's inetaddress.

2. the mail server disallows sending mail from locally connected clients (i.e., executing on same machine) except when its sender-address is from a known domain --- i changed this to be totally free (like sendmail), since the owner ostensibly owns the machine and why say 'no' to him ---
although we may want to change this back to beef up security anyway. just let me know what your thoughts are on this.

again, hope i didn't screw things up trying to modify this behaviour!

best,
mike

'auth-required' was set to 'true' which definitely explains my point #2 (on 2004-03-10) --- so it seems like i reinvented the wheel and degraded the code/architecture at the same time! sorry --- i'll revert stuff back to the way it was and now i know to look in jboss-service.xml more deeply next time i consider changing something like this. indeed, i agree that configuring this kind of behaviour in the mbean xml is the right way to go, rather than hard-coding it in the java source code.

but point #1 still seems to stand as a potential security issue --- where the server relayed the mail when the sender's address had a known domain name.

but i'll go back with a fine-toothed comb over the changes i made and make sure things are ok in light of the jboss-service.xml configuration elements.

mike

i believe those issues are settled, although i hope i didn't introduce other ones in the process (again); security is real tricky. we probably need a bit of a code overhaul at some point in this area, and a clear set of security policies maybe in an xml doc (expanding on what we already have in our xml mbean config).

probably the best way to make sure things are ok is through a junit test, so i'm adding that to my list of things to do. if our security polices can be expressed in xml, we can also automatically test them based on that configuration too.