1 2 Previous Next 18 Replies Latest reply on Aug 21, 2005 9:58 AM by acoliver

    Mail Relay.

      Hi,

      I am currently looking at JBMAIL-33, 34, 35 which is to do with mail relaying. I'm not an expert on relaying but here is my understanding:

      - A relay request is any email from an SMTP client that requires delivery to a non-local domain. This is partially supported by JBMail (depending on the settings specified).

      - This also may include requests that contain source routing information. Source routing information (according to the RFC) should be stripped off and ignored. Not supported, needs to be implemented.

      - Should be configurable to enable/disable relaying for: Authenticated Users, Verified Indentities, clients from within a set of domains, clients from within a set of ip ranges.

      - Any RCPT command that requests disallowed relaying, will be met with a 550 error. It will configurable as to whether the email is sent to the remaining recipients or denyed completely.

      Does this sound sane?

      Mike.

        • 1. Re: Mail Relay.
          acoliver

          Your understanding is correct basically. To be clear. There will need to be "RelayDomainGroup"s. I know nothing of source routing information, I'm sure you'll do the right thing :-)

          We should not route except for within RelayDomainGroups as that would be an "open relay" and that would be Relay relay bad. :-)

          Thanks for taking this on.

          • 2. Re: Mail Relay.

            I've commited relaying by domain. I have also added configuration for it to the installer. There are a couple of points with this change which I would like to hear thoughts on.

            - It is now impossible to set up an open anonymous relay. Is this a problem? If working as an open relay is a requirement then I think we should have a seperate explict configuration option for it.

            - Performance, checking the domain of the incoming user can be a slow operation (due to a reverse domain lookup). Should we add a warning about this in the installer text?

            Mike.

            • 3. Re: Mail Relay.
              acoliver

              BTW the realying stuff isn't in the RC1. I figure we'll see how the RC goes and do some testing on relaying before deciding.

              We already have explicit configuration for anonymous more or less (AuthenticationRequired). However, I get what you mean. Let's go with "no you can't" for now and see what kind of feedback we get. My take is to be a bit more of a hitler on security than most mail servers. "Make security easy"

              So you ALWAYS check the incoming user domain? The intent of the feature was to only check the domain of the target. Meaning that if Anonymous User/SMTP = A, Routing Mail Server = B, Other Mail Server = C and if A has no account on B but is sending to mail server C then if B is configured with a routing domain group for only domains served by C it will route mails on behalf of anonymous users only to server C. This involves no checking of the sending user's domain. Now it might be an interesting twist to check that, but wouldn't that be more of an edge case? I probably wouldn't allow that config through the installer (only people smart enough to do the admin should be given said 6 ft rope).

              I'll check out what you added to the installer before registering an opinion but I'm kind of worried that routing may not be something simple enough to represent at installation time. Intuitively, it makes sense to me to reserve this for an administration piece (presently XML config hell, later GUI). For the installer I want to mostly stick to basics so that you can get up and running with normal stuff quickly. I'm even vacillating on whether or not to stick tools for JAAS login module configuration (BTW JAAS works great) to the installer, presently I say no (but yes for adminstrative piece).

              Next week I'm going to touch base with Mr. Adminstartion (Charles Crouch) and see whether we can leverage that code (for JBAS) and report back.

              -Andy

              • 4. Re: Mail Relay.
                acoliver

                WHOA...dude.. I just took a look at the code.. To put it delicately, there was a miscommunication here. DomainGroups were supposed to be on the TO address to limit anonymous relay TO a server not *FROM* a user. I'm sure this has uses inside of organizations but I'd say its an edge case.

                So we should probably take it out of the GUI install since I think it will confuse 90% of folks and be useful to maybe 10%. I'll add a new feature request for M4 to limit the other side. What do you think?



                • 5. Re: Mail Relay.

                  Ooooooooooops!!!

                  I will remove the config from the installer. Do you know if there is a way to silently set a variable for Velocity in the panel configuration. The MBean will require a valid value having it unset will cause the deployer to throw an error.

                  • 6. Re: Mail Relay.

                    It was very simple to change it to be the way you intended. I have left the installer stuff in place (changed the text to be more appropriate). Have a go with it and see what you think. We can always pull it out later.

                    Mike.

                    • 7. Re: Mail Relay.
                      acoliver

                      Okay cool. I'll give it a test drive. Just hardcode it in the template if the config isn't setting it. Or you can set the var IN the template.

                      • 8. Re: Mail Relay.
                        acoliver

                        This isn't working in present CVS:

                        "
                        Andrew-Olivers-Computer:~ acoliver$ telnet localhost 25Trying ::1...
                        Connected to localhost.
                        Escape character is '^]'.
                        220 localhost.localdomain SMTP Server (JBMAIL SMTP Server version 0.1) ready August 19, 2005 8:42:43 AM EDT
                        MAIL FROM:<noone@nowhere.com>
                        250 Sender <noone@nowhere.com> OK
                        RCPT TO:<acoliver@jboss.org>
                        550 Not Authorized
                        "

                        <!--
                        Relay domain group.
                        -->


                        <domains includes-local-interfaces='false'>
                        jboss.org



                        <depends optional-attribute-name="DomainGroup" proxy-type="attribute">jboss.mail:type=MailServices,name=DomainGroup,group=Local
                        <depends optional-attribute-name="MailBodyManager"
                        proxy-type="attribute">jboss.mail:type=MailServices,name=MailBodyManager
                        <depends optional-attribute-name="ListenerChain"
                        proxy-type="org.jboss.mail.MailListenerChain">jboss.mail:type=MailServices,name=MailListenerChain
                        <depends optional-attribute-name="UserRepository"
                        proxy-type="attribute">jboss.mail:type=MailServices,name=UserRepository,uimanageable=true
                        <depends optional-attribute-name="RelayDomainGroup"
                        proxy-type="attribute">jboss.mail:type=MailServices,name=DomainGroup,group=Relay
                        ....


                        <!--
                        JBMail can not be configured as an open relay, you must specify a list of domains
                        to allow relaying to. -->
                        true
                        <!--
                        auth-allowed means that users are allowed to login. This is othogonal to AuthRequired.
                        Where AuthRequired means "auth required in order to send mail", AuthAllowed means
                        "is anyone able to log in at all?" A completely open relay (spam machine) would not
                        require authenticaiton and might not even allow it (so it can't be tracked or whatever). One reason to FORBID authentication is if you want users to only authenticate over SSL but
                        want a seperate instance of SMTP (on the same box even) to receive mails from the outside for
                        local users.
                        -->
                        true

                        • 9. Re: Mail Relay.

                          What is your auth required value set to? At the moment you can't anonymously relay with auth required set to true.

                          Mike.

                          • 10. Re: Mail Relay.
                            acoliver

                            Humm...I see. Originally AuthRequired was intended as the "Don't let anyone send mail OUT unless they are authenticated" -- as I see it Domain Relaying is an "exception" to auth required. if AuthRequired is "false" then you should effectively have an open relay.

                            I think it is okay to relase M3 so long as AuthRequired=false is not an open relay. (because that would be basically redundant). Is that the case?

                            for M4 we should revise this after some discussion. Deal?

                            • 11. Re: Mail Relay.
                              acoliver

                              Seems like it is okay for now (in that it is not an open relay). I'm not sure relaying is actually working:

                              15:19:51,645 INFO [Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-8080
                              15:19:54,780 INFO [ChannelSocket] JK: ajp13 listening on /0.0.0.0:8009
                              15:19:54,837 INFO [JkMain] Jk running ID=0 time=0/208 config=null
                              15:19:54,886 INFO [Server] JBoss (MX MicroKernel) [4.0.3RC2 (build: CVSTag=Branch_4_0 date=200508091251)] Started in 2m:6s:853ms
                              15:22:11,812 INFO [Server] Got request
                              15:22:11,838 INFO [Server] waiting for request
                              15:22:38,817 INFO [Server] Got request
                              15:22:38,818 INFO [Server] waiting for request
                              15:23:27,991 INFO [Mail] all headers after loading: MailHeadersImpl (4): [hdr(Received = 'Received: from null (localhost 0:0:0:0:0:0:0:1%0) by localhost.localdomain/JBossMail 1.0M3 (0:0:0:0:0:0:0:1%0)
                              with SMTP id 1124479407988576.2595372194803; Fri, 19 Aug 2005 15:23:27 -0400 (EDT)'), hdr(Subject = 'Subject: I do not like cheese'), hdr(From = 'From:<acoliver@jboss.org>'), hdr(To = 'To:<acoliver@jboss.org>')]
                              15:23:28,029 INFO [AbstractStore] Creating store item
                              15:23:28,052 INFO [PagedStore] Current Transaction: TransactionImpl:XidImpl[FormatId=257, GlobalId=Andrew-Olivers-Computer.local/23, BranchQual=, localId=23]
                              15:23:42,677 INFO [JMSMailListener] PUT MESSAGE ON QUEUE:org.jboss.mail.message.Mail@fe5a8a
                              15:23:45,626 INFO [STDOUT] DEBUG: JavaMail version 1.3.1
                              15:23:45,630 INFO [STDOUT] DEBUG: java.io.FileNotFoundException: /System/Library/Frameworks/JavaVM.framework/Versions/1.5.0/Home/lib/javamail.providers (No such file or directory)
                              15:23:45,635 INFO [STDOUT] DEBUG: !anyLoaded
                              15:23:45,644 INFO [STDOUT] DEBUG: not loading resource: /META-INF/javamail.providers
                              15:23:45,652 INFO [STDOUT] DEBUG: successfully loaded resource: /META-INF/javamail.default.providers
                              15:23:45,653 INFO [STDOUT] DEBUG: Tables of loaded providers
                              15:23:45,654 INFO [STDOUT] DEBUG: Providers Listed By Class Name: {com.sun.mail.smtp.SMTPTransport=javax.mail.Provider[TRANSPORT,smtp,com.sun.mail.smtp.SMTPTransport,Sun Microsystems, Inc], com.sun.mail.imap.IMAPStore=javax.mail.Provider[STORE,imap,com.sun.mail.imap.IMAPStore,Sun Microsystems, Inc], com.sun.mail.pop3.POP3Store=javax.mail.Provider[STORE,pop3,com.sun.mail.pop3.POP3Store,Sun Microsystems, Inc]}
                              15:23:45,655 INFO [STDOUT] DEBUG: Providers Listed By Protocol: {imap=javax.mail.Provider[STORE,imap,com.sun.mail.imap.IMAPStore,Sun Microsystems, Inc], pop3=javax.mail.Provider[STORE,pop3,com.sun.mail.pop3.POP3Store,Sun Microsystems, Inc], smtp=javax.mail.Provider[TRANSPORT,smtp,com.sun.mail.smtp.SMTPTransport,Sun Microsystems, Inc]}
                              15:23:45,660 INFO [STDOUT] DEBUG: successfully loaded resource: /META-INF/javamail.default.address.map
                              15:23:45,666 INFO [STDOUT] DEBUG: !anyLoaded
                              15:23:45,671 INFO [STDOUT] DEBUG: not loading resource: /META-INF/javamail.address.map
                              15:23:45,672 INFO [STDOUT] DEBUG: java.io.FileNotFoundException: /System/Library/Frameworks/JavaVM.framework/Versions/1.5.0/Home/lib/javamail.address.map (No such file or directory)
                              15:23:45,714 INFO [STDOUT] DEBUG: getProvider() returning javax.mail.Provider[TRANSPORT,smtp,com.sun.mail.smtp.SMTPTransport,Sun Microsystems, Inc]
                              15:23:50,357 INFO [STDOUT] DEBUG SMTP: useEhlo true, useAuth false
                              15:23:50,358 INFO [STDOUT] DEBUG SMTP: trying to connect to host "jboss.com.mail1.psmtp.com.", port 25
                              15:23:50,581 INFO [STDOUT] 220 Postini ESMTP 130 y6_3_2c0 ready. CA Business and Professions Code Section 17538.45 forbids use of this system for unsolicited electronic mail advertisements.
                              15:23:50,583 INFO [STDOUT] DEBUG SMTP: connected to host "jboss.com.mail1.psmtp.com.", port: 25
                              15:23:50,594 INFO [STDOUT] EHLO Andrew-Olivers-Computer.local
                              15:23:50,682 INFO [STDOUT] 250-Postini says hello back
                              250-STARTTLS
                              250-8BITMIME
                              250 HELP
                              15:23:50,684 INFO [STDOUT] DEBUG SMTP: Found extension "STARTTLS", arg ""
                              15:23:50,685 INFO [STDOUT] DEBUG SMTP: Found extension "8BITMIME", arg ""
                              15:23:50,686 INFO [STDOUT] DEBUG SMTP: Found extension "HELP", arg ""
                              15:23:51,266 ERROR [SMTPSender] Cannot send mailjava.lang.ArrayIndexOutOfBoundsException: 1
                              java.lang.ArrayIndexOutOfBoundsException: 1
                              at org.jboss.mail.smtp.sender.SMTPSender.sendForDomain(SMTPSender.java:405)
                              at org.jboss.mail.smtp.sender.SMTPSender.send(SMTPSender.java:255)
                              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                              at java.lang.reflect.Method.invoke(Method.java:585)
                              at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
                              at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
                              at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
                              at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:245)
                              at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
                              at javax.management.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:201)
                              at $Proxy96.send(Unknown Source)
                              at org.jboss.mail.mailhandler.remote.RemoteDeliveryMessageDrivenBean.deliver(RemoteDeliveryMessageDrivenBean.java:248)
                              at org.jboss.mail.mailhandler.remote.RemoteDeliveryMessageDrivenBean.onMessage(RemoteDeliveryMessageDrivenBean.java:124)
                              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                              at java.lang.reflect.Method.invoke(Method.java:585)
                              at org.jboss.invocation.Invocation.performCall(Invocation.java:345)
                              at org.jboss.ejb.MessageDrivenContainer$ContainerInterceptor.invoke(MessageDrivenContainer.java:475)
                              at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:149)
                              at org.jboss.ejb.plugins.MessageDrivenInstanceInterceptor.invoke(MessageDrivenInstanceInterceptor.java:101)
                              at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:48)
                              at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:105)
                              at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:335)
                              at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:166)
                              at org.jboss.ejb.plugins.RunAsSecurityInterceptor.invoke(RunAsSecurityInterceptor.java:94)
                              at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:192)
                              at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:122)
                              at org.jboss.ejb.MessageDrivenContainer.internalInvoke(MessageDrivenContainer.java:389)
                              at org.jboss.ejb.Container.invoke(Container.java:873)
                              at org.jboss.ejb.plugins.jms.JMSContainerInvoker.invoke(JMSContainerInvoker.java:1077)
                              at org.jboss.ejb.plugins.jms.JMSContainerInvoker$MessageListenerImpl.onMessage(JMSContainerInvoker.java:1379)
                              at org.jboss.jms.asf.StdServerSession.onMessage(StdServerSession.java:256)
                              at org.jboss.mq.SpyMessageConsumer.sessionConsumerProcessMessage(SpyMessageConsumer.java:904)
                              at org.jboss.mq.SpyMessageConsumer.addMessage(SpyMessageConsumer.java:160)
                              at org.jboss.mq.SpySession.run(SpySession.java:333)
                              at org.jboss.jms.asf.StdServerSession.run(StdServerSession.java:180)
                              at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:743)
                              at java.lang.Thread.run(Thread.java:613)
                              15:23:51,289 INFO [STDOUT] QUIT
                              15:23:51,299 INFO [JMSMailListener] PUT MESSAGE ON QUEUE:org.jboss.mail.message.MailRetryWrapper@e48c89

                              Trying ::1...
                              Connected to localhost.
                              Escape character is '^]'.
                              220 localhost.localdomain SMTP Server (JBMAIL SMTP Server version 0.1) ready August 19, 2005 8:42:43 AM EDT
                              MAIL FROM:<noone@nowhere.com>
                              250 Sender <noone@nowhere.com> OK
                              RCPT TO:<acoliver@jboss.org>
                              550 Not Authorized
                              quit
                              221 localhost.localdomain closing connection
                              Connection closed by foreign host.
                              Andrew-Olivers-Computer:~ acoliver$ vi /Applications/JBoss\ Mail\ Server/server/default/deploy/mail.ear/mail.sar/META-INF/jboss-service.xml
                              Andrew-Olivers-Computer:~ acoliver$ telnet localhost 25Trying ::1...
                              Connected to localhost.
                              Escape character is '^]'.
                              220 localhost.localdomain SMTP Server (JBMAIL SMTP Server version 0.1) ready August 19, 2005 3:22:12 PM EDT
                              MAIL FROM:<noone@nowhere.com>
                              250 Sender <noone@nowhere.com> OK
                              RCPT TO:<andy@superlinksoftware.com>
                              553 Relaying disallowed
                              quit
                              221 localhost.localdomain closing connection
                              Connection closed by foreign host.
                              Andrew-Olivers-Computer:~ acoliver$ telnet localhost 25
                              Trying ::1...
                              Connected to localhost.
                              Escape character is '^]'.
                              220 localhost.localdomain SMTP Server (JBMAIL SMTP Server version 0.1) ready August 19, 2005 3:22:38 PM EDT
                              MAIL FROM:<acoliver@jboss.org>
                              250 Sender <acoliver@jboss.org> OK
                              RCPT TO:<acoliver@jboss.org>
                              250 Recipient <acoliver@jboss.org> OK
                              DATA
                              354 Ok Send data ending with .
                              Subject: I do not like cheese
                              From:<acoliver@jboss.org>
                              To:<acoliver@jboss.org>

                              I do not like cheese. It makes me ill.

                              -Andy
                              .

                              250 Message received
                              quit
                              221 localhost.localdomain closing connection
                              Connection closed by foreign host.

                              Though this could be something else.... I'll cut the release if there are no objections.

                              • 12. Re: Mail Relay.
                                acoliver

                                I added this to the template:

                                #if($RELAY_BY_DOMAIN_ENABLED)
                                false
                                #else
                                true
                                #end

                                So that if relaying is enabled we will auto configure authrequired==false.

                                • 13. Re: Mail Relay.

                                  The exception seems to be unrelated to relaying.

                                  I'm happy to change the logic for M4. It's reasonably easy to move the logic around.

                                  Cheers,
                                  Mike.

                                  • 14. Re: Mail Relay.
                                    acoliver

                                    I thought so to however it only happens when relaying... Could be I did something wrong in telnet ;-)

                                    Actually I think this is in the Auth routines... However its probably a couple lines of boolean logic.

                                    1 2 Previous Next