[prev in list] [next in list] [prev in thread] [next in thread]
List: james-user
Subject: =?utf-8?Q?Re:_Require_TLS?=
From: Johnny Minty <johnny () minty ! net ! nz>
Date: 2013-08-01 7:08:58
Message-ID: BLU404-EAS268244272E7E9134F81A405E2500 () phx ! gbl
[Download RAW message or body]
[Attachment #2 (text/plain)]
Hi Guys,
I've managed to get partway through writing up a solution by modifying the \
dispatchCommandHandlers method in the CommandDispatcher class.
This modification requires TLS for all connections once the connecting client has \
established a connection state i.e. EHLO/HELO, if a client doesn't' send STARTTLS \
and stand up a valid SSL connection a 530 response is returned.
This solution isn't ideal and needs further development:
1) A way to define which servers to require TLS for (Similar to authorizedAddresses \
map?)
2) Support for IMAP,POP (This will only work for SMTP?)
3) Stop AUTH field in the server reply from being sent prior to a TLS connection has \
been started
private static final Response TLS_REQUIRED = new SMTPResponse("530", "5.7.0 Must \
issue a STARTTLS command first").immutable();
@Override
protected Response dispatchCommandHandlers(ProtocolSession session, Request \
request) {
Object ehloState = session.getAttachment(SMTPSession.CURRENT_HELO_MODE, \
ProtocolSession.State.Connection);
//if the ehloState is established, TLS has NOT been started and the next \
command is not STARTTLS then reject user
if (ehloState != null && !session.isTLSStarted() && \
!"STARTTLS".equalsIgnoreCase(request.getCommand())) { return TLS_REQUIRED;
} else {
return super.dispatchCommandHandlers(session, request);
}
}
Kind regards,
Johnny Minty
From: Phillip Odam
Sent: Wednesday, 31 July 2013 1:32 a.m.
To: James Users List
Trouble with a fastfail hook is that it means the client has sent the
username and password in the clear for the hook to activate.
On 7/30/13 2:09 AM, Jan-Philipp Hülshoff wrote:
> What about doing it with a Hook for fastfail?
> This hook fails the mail command if it is not authenticated. you could
> also use the session.isTLSStarted() or session.isRelayingAllowed().
>
> I'm using that hook on a second SMTP Server on port 465 to force
> everyone to login.
>
>
> public class AuthenticatedSMTPOnlyHandler implements MailHook {
>
> public AuthenticatedSMTPOnlyHandler(){
>
> }
>
> @Override
> public HookResult doMail(SMTPSession session,
> MailAddress adress) {
> //session.isTLSStarted()
> //session.isRelayingAllowed()
> if (session.getUser() == null){
> return new HookResult(
> HookReturnCode.DENY,
> SMTPRetCode.AUTH_REQUIRED,
> DSNStatus.getStatus(
> DSNStatus.PERMANENT,
> DSNStatus.SECURITY_AUTH+
> " Authentication is required."));
> }
> if(session.getUser().trim().length() == 0){
> return new HookResult(
> HookReturnCode.DENY,
> SMTPRetCode.AUTH_REQUIRED,
> DSNStatus.getStatus(
> DSNStatus.PERMANENT,
> DSNStatus.SECURITY_AUTH+
> " Authentication is required."));
> }
> return HookResult.ok();
> }
> }
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic