Google Git
Sign in
apache / james-site / a15da97d6f43d2450183d8ff4b8722aa4ad8b24d / . / james-distributed-app / 3.8.1 / operate / security.html
blob: 6049ddf85bb487e52c1115b395c328e697151489 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<title>Security checklist :: Apache James</title>
<meta name="generator" content="Antora 3.1.2">
<link rel="stylesheet" href="../../../_/css/site.css">
</head>
<body class="article">
<header class="header">
<nav class="navbar">
<div class="navbar-brand">
<a class="navbar-item" href="https://james.apache.org"><img src="/_/img/james.svg" alt="james logo"> Apache James</a>
<button class="navbar-burger" data-target="topbar-nav">
<span></span>
<span></span>
<span></span>
</button>
</div>
<div id="topbar-nav" class="navbar-menu">
<div class="navbar-end">
<a class="navbar-item" href="#">Home</a>
<div class="navbar-item has-dropdown is-hoverable">
<a class="navbar-link" href="#">Products</a>
<div class="navbar-dropdown">
<div class="navbar-item"><strong>James server</strong></div>
<a class="navbar-item" href="https://github.com/apache/james-project">Repository</a>
<a class="navbar-item" href="https://issues.apache.org/jira/projects/JAMES/issues">Issue Tracker</a>
<hr class="navbar-divider">
<a class="navbar-item" href="https://james.apache.org/mime4j/index.html">Mime4J</a>
<a class="navbar-item" href="https://james.apache.org/jsieve/index.html">jSieve</a>
<a class="navbar-item" href="https://james.apache.org/jspf/index.html">jSPF</a>
<a class="navbar-item" href="https://james.apache.org/jdkim/index.html">jDKIM</a>
<a class="navbar-item" href="https://james.apache.org/hupa/index.html">HUPA</a>
</div>
</div>
<div class="navbar-item has-dropdown is-hoverable">
<a class="navbar-link" href="#">Community</a>
<div class="navbar-dropdown">
<!-- Not ideal but dropping the version in the href requires tweaking james-projet docs module first -->
<a class="navbar-item" href="/james-project/3.6.0/community/mailing-lists.html">Mailing lists</a>
<a class="navbar-item" href="https://gitter.im/apache/james-project"><svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 32 32" class="logo-gitter-sign" data-v-44ebcb1a=""><rect x="15" y="5" width="2" height="10"></rect> <rect x="10" y="5" width="2" height="20"></rect> <rect x="5" y="5" width="2" height="20"></rect> <rect width="2" height="15"></rect></svg> Gitter</a>
<a class="navbar-item" href="https://twitter.com/ApacheJames">
<span class="icon">
<svg aria-hidden="true" data-icon="twitter" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512">
<path fill="#57aaee" d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"></path>
</svg>
</span> Twitter
</a>
<a class="navbar-item" href="#"> <svg class="octicon octicon-mark-github v-align-middle" viewBox="0 0 16 16" version="1.1" aria-hidden="true"><path fill-rule="evenodd" d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0016 8c0-4.42-3.58-8-8-8z"></path></svg> Github</a>
</div>
</div>
<!-- <div class="navbar-item">
<span class="control">
<a class="button is-primary" href="#">Download</a>
</span>
</div> -->
</div>
</div>
</nav>
</header>
<div class="body">
<div class="nav-container" data-component="james-distributed-app" data-version="3.8.1">
<aside class="nav">
<div class="panels">
<div class="nav-panel-menu is-active" data-panel="menu">
<nav class="nav-menu">
<button class="nav-menu-toggle" aria-label="Toggle expand/collapse all" style="display: none"></button>
<h3 class="title"><a href="../index.html">Apache James Distributed Server</a></h3>
<ul class="nav-list">
<li class="nav-item" data-depth="0">
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../index.html">Distributed James Application</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../objectives.html">Objectives and motivation</a>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../architecture/index.html">Architecture</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../architecture/implemented-standards.html">Implemented standards</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../architecture/consistency-model.html">Consistency Model</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../architecture/specialized-instances.html">Specialized instances</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../run/index.html">Run</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../run/run-java.html">Run with Java</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../run/run-docker.html">Run with Docker</a>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../run/run-kubernetes.html">Run with Kubernetes</a>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../run/k8s-checklist.html">Deployment Checklist</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../run/k8s-logsMetrics.html">Logs &amp; Metrics</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../run/k8s-values.html">values.yaml</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../run/k8s-secrets.html">secrets.yaml</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../configure/index.html">Configuration</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<span class="nav-text">Protocols</span>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/imap.html">imapserver.xml</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/jmap.html">jmap.properties</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/jmx.html">jmx.properties</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/smtp.html">smtpserver.xml &amp; lmtpserver.xml</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/smtp-hooks.html">Packaged SMTP hooks</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/pop3.html">pop3server.xml</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/webadmin.html">webadmin.properties</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/ssl.html">SSL &amp; TLS</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/sieve.html">Sieve &amp; ManageSieve</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<span class="nav-text">Storage dependencies</span>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/blobstore.html">blobstore.properties</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/cassandra.html">cassandra.properties</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/opensearch.html">opensearch.properties</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/rabbitmq.html">rabbitmq.properties</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/redis.html">redis.properties</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/tika.html">tika.properties</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<span class="nav-text">Core components</span>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/batchsizes.html">batchsizes.properties</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/dns.html">dnsservice.xml</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/domainlist.html">domainlist.xml</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/healthcheck.html">healthcheck.properties</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/mailetcontainer.html">mailetcontainer.xml</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/mailets.html">Packaged Mailets</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/matchers.html">Packaged Matchers</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/mailrepositorystore.html">mailrepositorystore.xml</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/recipientrewritetable.html">recipientrewritetable.xml</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/search.html">search.properties</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/usersrepository.html">usersrepository.xml</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="3">
<button class="nav-item-toggle"></button>
<span class="nav-text">Extensions</span>
<ul class="nav-list">
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/vault.html">deletedMessageVault.properties</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/extensions.html">extensions.properties</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/listeners.html">listeners.xml</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/spam.html">Anti-Spam setup</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/remote-delivery-error-handling.html">About RemoteDelivery error handling</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/collecting-contacts.html">Contact collection</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/collecting-events.html">Event collection</a>
</li>
<li class="nav-item" data-depth="4">
<a class="nav-link" href="../configure/dsn.html">ESMTP DSN support</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="index.html">Operate</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="guide.html">Operator guide</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="performanceChecklist.html">Performance checklist</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="logging.html">Logging</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="webadmin.html">WebAdmin REST administration API</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="metrics.html">Metrics</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="migrating.html">Migrating existing data</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="cli.html">Command Line Interface</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="cassandra-migration.html">Cassandra migration</a>
</li>
<li class="nav-item is-current-page" data-depth="3">
<a class="nav-link" href="security.html">Security checklist</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../extending/index.html">Extending server behavior</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../extending/mail-processing.html">Custom mail processing components</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../extending/mailbox-listeners.html">Custom Mailbox Listeners</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../extending/smtp-hooks.html">Custom SMTP hooks</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../extending/webadmin-routes.html">Custom WebAdmin routes</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../extending/imap.html">Custom IMAP processing</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../benchmark/index.html">Performance benchmark</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../benchmark/db-benchmark.html">Database benchmarks</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../benchmark/james-benchmark.html">James benchmarks</a>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</nav>
</div>
<div class="nav-panel-explore" data-panel="explore">
<div class="context">
<span class="title">Apache James Distributed Server</span>
<span class="version">3.8.1 SNAPSHOT</span>
</div>
<ul class="components">
<li class="component is-current">
<div class="title"><a href="../index.html">Apache James Distributed Server</a></div>
<ul class="versions">
<li class="version is-current is-latest">
<a href="../index.html">3.8.1 SNAPSHOT</a>
</li>
</ul>
</li>
<li class="component">
<div class="title"><a href="../../../james-project/3.8.1/index.html">Apache James Server</a></div>
<ul class="versions">
<li class="version is-latest">
<a href="../../../james-project/3.8.1/index.html">3.8.1 SNAPSHOT</a>
</li>
<li class="version">
<a href="../../../james-project/3.6.0/index.html">3.6.0 Snapshot</a>
</li>
</ul>
</li>
<li class="component">
<div class="title"><a href="../../../james-site/latest/index.html">Apache James Site</a></div>
<ul class="versions">
<li class="version is-latest">
<a href="../../../james-site/latest/index.html">latest</a>
</li>
</ul>
</li>
</ul>
</div>
</div>
</aside>
</div>
<main class="article">
<div class="toolbar" role="navigation">
<button class="nav-toggle"></button>
<a href="../../../james-site/latest/homepage.html" class="home-link"></a>
<nav class="breadcrumbs" aria-label="breadcrumbs">
<ul>
<li><a href="../index.html">Apache James Distributed Server</a></li>
<li><a href="../index.html">Distributed James Application</a></li>
<li><a href="index.html">Operate</a></li>
<li><a href="security.html">Security checklist</a></li>
</ul>
</nav>
<div class="edit-this-page"><a href="https://github.com/apache/james-project/blob/master/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc">Edit this Page</a></div>
</div>
<div class="content">
<aside class="toc sidebar" data-title="Contents" data-levels="2">
<div class="toc-menu"></div>
</aside>
<article class="doc">
<h1 class="page">Security checklist</h1>
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>This document aims as summarizing threats, security best practices as well as recommendations.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_threats"><a class="anchor" href="#_threats"></a>Threats</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Operating an email server exposes you to the following threats:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Spammers might attempt to use your servers to send their spam messages on their behalf. We speak of
<strong>open relay</strong>. In addition to the resources consumed being an open relay will affect the trust other mail
installations have in you, and thus will cause legitimate traffic to be rejected.</p>
</li>
<li>
<p>Emails mostly consist of private data, which shall only be accessed by their legitimate user. Failure
to do so might result in <strong>information disclosure</strong>.</p>
</li>
<li>
<p><strong>Email forgery</strong>. An attacker might craft an email on the behalf of legitimate users.</p>
</li>
<li>
<p>Email protocols allow user to authenticate and thus can be used as <strong>oracles</strong> to guess user passwords.</p>
</li>
<li>
<p><strong>Spam</strong>. Non legitimate traffic can be a real burden to your users.</p>
</li>
<li>
<p><strong>Phishing</strong>: Crafted emails that tricks the user into doing unintended actions.</p>
</li>
<li>
<p><strong>Viruses</strong>: An attacker sends an attachment that contains an exploit that could run if a user opens it.</p>
</li>
<li>
<p><strong>Denial of service</strong>: A small request may result in a very large response and require considerable work on the server&#8230;&#8203;</p>
</li>
<li>
<p><strong>Denial of service</strong>: A malicious JMAP client may use the JMAP push subscription to attempt to flood a third party
server with requests, creating a denial-of-service attack and masking the attacker’s true identity.</p>
</li>
<li>
<p><strong>Dictionary Harvest Attacks</strong>: An attacker can rely on SMTP command reply code to know if a user exists or not. This
can be used to obtain the list of local users and later use those address as targets for other attacks.</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_best_practices"><a class="anchor" href="#_best_practices"></a>Best practices</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The following sections ranks best practices.</p>
</div>
<div class="sect2">
<h3 id="_best_practices_must"><a class="anchor" href="#_best_practices_must"></a>Best practices: Must</h3>
<div class="ulist">
<ul>
<li>
<p>1. Configure James in order not to be an <a href="../configure/smtp.html#_about_open_relays" class="xref page">open relay</a>. This should be the
case with the default configuration.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>Be sure in <a href="../configure/smtp.html" class="xref page">smtpserver.xml</a> to activate the following options: <code>verifyIdentity</code>.</p>
</div>
<div class="paragraph">
<p>We then recommend to manually test your installation in order to ensure that:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Unauthenticated SMTP users cannot send mails to external email addresses (they are not relayed)</p>
</li>
<li>
<p>Unauthenticated SMTP users can send mails to internal email addresses</p>
</li>
<li>
<p>Unauthenticated SMTP users cannot use local addresses in their mail from, and send emails both locally and to distant targets.</p>
</li>
<li>
<p>2. Avoid <strong>STARTTLS</strong> usage and favor SSL. Upgrade from a non encrypted channel into an encrypted channel is an opportunity
for additional vulnerabilities. This is easily prevented by requiring SSL connection upfront. <a href="https://nostarttls.secvuln.info/">Read more&#8230;&#8203;</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p>Please note that STARTTLS is still beneficial in the context of email relaying, which happens on SMTP port 25 unencrypted,
and enable opportunistic encryption upgrades that would not overwise be possible. We recommend keeping STARTTLS activated
for SMTP port 25.</p>
</div>
<div class="ulist">
<ul>
<li>
<p>3. Use SSL for <a href="../configure/mailets.html#_remotedelivery" class="xref page">remote delivery</a> whenever you are using a gateway relaying SMTP server.</p>
</li>
<li>
<p>4. Rely on an external identity service, dedicated to user credential storage. James supports <a href="../configure/usersrepository.html#_configuring_a_ldap" class="xref page">LDAP</a>. If you are
forced to store users in James be sure to choose <code>PBKDF2</code> as a hashing algorithm. Also, delays on authentication failures
are supported via the <code>verifyFailureDelay</code> property. Note that IMAP / SMTP connections are closed after 3 authentication
failures.</p>
</li>
<li>
<p>5. Ensure that <a href="../configure/webadmin.html" class="xref page">WebAdmin</a> is not exposed unencrypted to the outer world. Doing so trivially
exposes yourself. You can either disable it, activate JWT security, or restrict it to listen only on localhost.</p>
</li>
<li>
<p>6. Set up <code>HTTPS</code> for http based protocols, namely <strong>JMAP</strong> and <strong>WebAdmin</strong>. We recommend the use of a reverse proxy like Nginx.</p>
</li>
<li>
<p>7. Set up <a href="https://james.apache.org/howTo/spf.html">SPF</a> and <a href="https://james.apache.org/howTo/dkim.html">DKIM</a>
for your outgoing emails to be trusted.</p>
</li>
<li>
<p>8. Prevent access to JMX. This can be achieved through a strict firewalling policy
(<a href="https://nickbloor.co.uk/2017/10/22/analysis-of-cve-2017-12628/">blocking port 9999 is not enough</a>)
or <a href="../configure/jmx.html" class="xref page">disabling JMX</a>. JMX is needed to use the existing CLI application but webadmin do offer similar
features. Set the <code>jmx.remote.x.mlet.allow.getMBeansFromURL</code> to <code>false</code> to disable JMX remote code execution feature.</p>
</li>
<li>
<p>9. If JMAP is enabled, be sure that JMAP PUSH cannot be used for server side request forgery. This can be
<a href="../configure/jmap.html" class="xref page">configured</a> using the <code>push.prevent.server.side.request.forgery=true</code> property,
forbidding push to private addresses.</p>
</li>
</ul>
</div>
</div>
<div class="sect2">
<h3 id="_best_practice_should"><a class="anchor" href="#_best_practice_should"></a>Best practice: Should</h3>
<div class="ulist">
<ul>
<li>
<p>1. Avoid advertising login/authenticate capabilities in clear channels. This might prevent some clients to attempt login
on clear channels, and can be configured for both <a href="../configure/smtp.html" class="xref page">SMTP</a> and <a href="../configure/imap.html" class="xref page">IMAP</a>
using <code>auth.plainAuthEnabled=false</code>.</p>
</li>
<li>
<p>2. Verify <a href="https://james.apache.org/howTo/spf.html">SPF</a> and <a href="../configure/mailets.html#_dkimverify" class="xref page">DKIM</a> for your incoming emails.</p>
</li>
<li>
<p>3. Set up reasonable <a href="webadmin.html#_administrating_quotas" class="xref page">storage quota</a> for your users.</p>
</li>
<li>
<p>4. We recommend setting up anti-spam and anti-virus solutions. James comes with some <a href="../configure/spam.html" class="xref page">Rspamd and SpamAssassin</a>
integration, and some <a href="../configure/mailets.html#_clamavscan" class="xref page">ClamAV</a> tooling exists.
Rspamd supports anti-phishing modules.
Filtering with third party systems upstream is also possible.</p>
</li>
<li>
<p>5. In order to limit your attack surface, disable protocols you or your users do not use. This includes the JMAP protocol,
POP3, ManagedSieve, etc&#8230;&#8203; Be conservative on what you expose.</p>
</li>
<li>
<p>6. If operating behind a load-balancer, set up the <a href="https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt">PROXY protocol</a> for
TCP based protocols (IMAP and SMTP <code>proxyRequired</code> option)</p>
</li>
</ul>
</div>
</div>
<div class="sect2">
<h3 id="_best_practice_could"><a class="anchor" href="#_best_practice_could"></a>Best practice: Could</h3>
<div class="ulist">
<ul>
<li>
<p>1. Set up <a href="https://openid.net/connect/">OIDC</a> for IMAP, SMTP and JMAP. Disable login/plain/basic authentication.</p>
</li>
<li>
<p>2. You can configure <a href="../configure/ssl.html#_client_authentication_via_certificates" class="xref page">Client authentication via certificates</a>.</p>
</li>
<li>
<p>3. You can <a href="../configure/mailets.html#_smimesign" class="xref page">sign</a>, <a href="../configure/mailets.html#_smimechecksignature" class="xref page">verify</a>
and <a href="../configure/mailets.html#_smimedecrypt" class="xref page">decrypt</a> your email traffic using <a href="https://datatracker.ietf.org/doc/html/rfc5751">SMIME</a>.</p>
</li>
</ul>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_known_vulnerabilities"><a class="anchor" href="#_known_vulnerabilities"></a>Known vulnerabilities</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Several vulnerabilities have had been reported for previous releases of Apache James server.</p>
</div>
<div class="paragraph">
<p>Be sure not to run those! We highly recommend running the latest release, which we put great effort in not to use
outdated dependencies.</p>
</div>
<div class="sect2">
<h3 id="_reporting_vulnerabilities"><a class="anchor" href="#_reporting_vulnerabilities"></a>Reporting vulnerabilities</h3>
<div class="paragraph">
<p>We follow the standard procedures within the ASF regarding <a href="https://apache.org/security/committers.html#vulnerability-handling">vulnerability handling</a></p>
</div>
</div>
<div class="sect2">
<h3 id="_cve_2024_21742_mime4j_dom_header_injection"><a class="anchor" href="#_cve_2024_21742_mime4j_dom_header_injection"></a>CVE-2024-21742: Mime4J DOM header injection</h3>
<div class="paragraph">
<p>Apache JAMES MIME4J prior to version 0.8.10 allow attackers able to specify the value of a header field to craft other header fields.</p>
</div>
<div class="paragraph">
<p><strong>Severity</strong>: Moderate</p>
</div>
<div class="paragraph">
<p><strong>Mitigation</strong>: Release 0.8.10 rejects the use of LF inside a header field thus preventing the issue.</p>
</div>
<div class="paragraph">
<p>Upgrading to Apache James MIME4J 0.8.10 is thus advised.</p>
</div>
</div>
<div class="sect2">
<h3 id="_cve_2023_51747_smtp_smuggling_in_apache_james"><a class="anchor" href="#_cve_2023_51747_smtp_smuggling_in_apache_james"></a>CVE-2023-51747: SMTP smuggling in Apache James</h3>
<div class="paragraph">
<p>Apache James distribution prior to release 3.7.5 and release 3.8.1 is subject to SMTP smuggling, when used in combination
of antother vulnerable server and can result in SPF bypass, leading to email forgery.</p>
</div>
<div class="paragraph">
<p><strong>Severity</strong>: High</p>
</div>
<div class="paragraph">
<p><strong>Mitigation</strong>: Release 3.7.5 and 3.8.1 interpret strictly the CRLF delimiter and thus prevent the issue.</p>
</div>
<div class="paragraph">
<p>Upgrading to Apache James 3.7.5 or 3.8.1 is thus advised.</p>
</div>
</div>
<div class="sect2">
<h3 id="_cve_2023_51518_privilege_escalation_via_jmx_pre_authentication_deserialisation"><a class="anchor" href="#_cve_2023_51518_privilege_escalation_via_jmx_pre_authentication_deserialisation"></a>CVE-2023-51518: Privilege escalation via JMX pre-authentication deserialisation</h3>
<div class="paragraph">
<p>Apache James distribution prior to release 3.7.5 and 3.8.1 allow privilege escalation via JMX pre-authentication deserialisation.
An attacker would need to identify a deserialization glitch before triggering an exploit.</p>
</div>
<div class="paragraph">
<p><strong>Severity</strong>: Moderate</p>
</div>
<div class="paragraph">
<p><strong>Mitigation</strong>:We recommend turning off JMX whenever possible.</p>
</div>
<div class="paragraph">
<p>Release 3.7.5 and 3.8.1 disable deserialization on unauthencited channels.</p>
</div>
<div class="paragraph">
<p>Upgrading to Apache James 3.7.5 on 3.8.1 is thus advised.</p>
</div>
</div>
<div class="sect2">
<h3 id="_cve_2023_26269_privilege_escalation_through_unauthenticated_jmx"><a class="anchor" href="#_cve_2023_26269_privilege_escalation_through_unauthenticated_jmx"></a>CVE-2023-26269: Privilege escalation through unauthenticated JMX</h3>
<div class="paragraph">
<p>Apache James distribution prior to release 3.7.4 allows privilege escalation through the use of JMX.</p>
</div>
<div class="paragraph">
<p><strong>Severity</strong>: Moderate</p>
</div>
<div class="paragraph">
<p><strong>Mitigation</strong>: We recommend turning on authentication on. If the CLI is unused we recommend turning JMX off.</p>
</div>
<div class="paragraph">
<p>Release 3.7.4 set up implicitly JMX authentication for Guice based products and addresses the underlying JMX exploits.</p>
</div>
<div class="paragraph">
<p>Upgrading to Apache James 3.7.4 is thus advised.</p>
</div>
</div>
<div class="sect2">
<h3 id="_cve_2022_45935_temporary_file_information_disclosure_in_apache_james"><a class="anchor" href="#_cve_2022_45935_temporary_file_information_disclosure_in_apache_james"></a>CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES</h3>
<div class="paragraph">
<p>Apache James distribution prior to release 3.7.3 is vulnerable to a temporary File Information Disclosure.</p>
</div>
<div class="paragraph">
<p><strong>Severity</strong>: Moderate</p>
</div>
<div class="paragraph">
<p><strong>Mitigation</strong>: We recommend to upgrade to Apache James 3.7.3 or higher, which fixes this vulnerability.</p>
</div>
</div>
<div class="sect2">
<h3 id="_cve_2021_44228_starttls_command_injection_in_apache_james"><a class="anchor" href="#_cve_2021_44228_starttls_command_injection_in_apache_james"></a>CVE-2021-44228: STARTTLS command injection in Apache JAMES</h3>
<div class="paragraph">
<p>Apache James distribution prior to release 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command.</p>
</div>
<div class="paragraph">
<p>Fix of CVE-2021-38542, which solved similar problem from Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.</p>
</div>
<div class="paragraph">
<p><strong>Severity</strong>: Moderate</p>
</div>
<div class="paragraph">
<p><strong>Mitigation</strong>: We recommend to upgrade to Apache James 3.7.1 or higher, which fixes this vulnerability.</p>
</div>
</div>
<div class="sect2">
<h3 id="_cve_2021_38542_apache_james_vulnerable_to_starttls_command_injection_imap_and_pop3"><a class="anchor" href="#_cve_2021_38542_apache_james_vulnerable_to_starttls_command_injection_imap_and_pop3"></a>CVE-2021-38542: Apache James vulnerable to STARTTLS command injection (IMAP and POP3)</h3>
<div class="paragraph">
<p>Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS
command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage
of sensible information.</p>
</div>
<div class="paragraph">
<p><strong>Severity</strong>: Moderate</p>
</div>
<div class="paragraph">
<p>This issue is being tracked as <a href="https://issues.apache.org/jira/browse/JAMES-1862">JAMES-1862</a></p>
</div>
<div class="paragraph">
<p><strong>Mitigation</strong>: We recommend upgrading to Apache James 3.6.1, which fixes this vulnerability.</p>
</div>
<div class="paragraph">
<p>Furthermore, we recommend, if possible to dis-activate STARTTLS and rely solely on explicit TLS for mail protocols, including SMTP, IMAP and POP3.</p>
</div>
<div class="paragraph">
<p>Read more <a href="https://nostarttls.secvuln.info/">about STARTTLS security here</a>.</p>
</div>
</div>
<div class="sect2">
<h3 id="_cve_2021_40110_apache_james_imap_vulnerable_to_a_redos"><a class="anchor" href="#_cve_2021_40110_apache_james_imap_vulnerable_to_a_redos"></a>CVE-2021-40110: Apache James IMAP vulnerable to a ReDoS</h3>
<div class="paragraph">
<p>Using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial
Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1</p>
</div>
<div class="paragraph">
<p><strong>Severity</strong>: Moderate</p>
</div>
<div class="paragraph">
<p>This issue is being tracked as <a href="https://issues.apache.org/jira/browse/JAMES-3635">JAMES-3635</a></p>
</div>
<div class="paragraph">
<p><strong>Mitigation</strong>: We recommend upgrading to Apache James 3.6.1, which enforce the use of RE2J regular
expression engine to execute regex in linear time without back-tracking.</p>
</div>
</div>
<div class="sect2">
<h3 id="_cve_2021_40111_apache_james_imap_parsing_denial_of_service"><a class="anchor" href="#_cve_2021_40111_apache_james_imap_parsing_denial_of_service"></a>CVE-2021-40111: Apache James IMAP parsing Denial Of Service</h3>
<div class="paragraph">
<p>While fuzzing with Jazzer the IMAP parsing stack we discover that crafted APPEND and STATUS IMAP command
could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions.
This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this
vulnerability. This affected Apache James prior to version 3.6.1.</p>
</div>
<div class="paragraph">
<p><strong>Severity</strong>: Moderate</p>
</div>
<div class="paragraph">
<p>This issue is being tracked as <a href="https://issues.apache.org/jira/browse/JAMES-3634">JAMES-3634</a></p>
</div>
<div class="paragraph">
<p><strong>Mitigation</strong>: We recommend upgrading to Apache James 3.6.1, which fixes this vulnerability.</p>
</div>
</div>
<div class="sect2">
<h3 id="_cve_2021_40525_apache_james_sieve_file_storage_vulnerable_to_path_traversal_attacks"><a class="anchor" href="#_cve_2021_40525_apache_james_sieve_file_storage_vulnerable_to_path_traversal_attacks"></a>CVE-2021-40525: Apache James: Sieve file storage vulnerable to path traversal attacks</h3>
<div class="paragraph">
<p>Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable
to path traversal, allowing reading and writing any file.</p>
</div>
<div class="paragraph">
<p><strong>Severity</strong>: Moderate</p>
</div>
<div class="paragraph">
<p>This issue is being tracked as <a href="https://issues.apache.org/jira/browse/JAMES-3646">JAMES-3646</a></p>
</div>
<div class="paragraph">
<p><strong>Mitigation</strong>:This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade.</p>
</div>
<div class="paragraph">
<p>This could also be mitigated by ensuring manageSieve is disabled, which is the case by default.</p>
</div>
<div class="paragraph">
<p>Distributed and Cassandra based products are also not impacted.</p>
</div>
</div>
<div class="sect2">
<h3 id="_cve_2017_12628_privilege_escalation_using_jmx"><a class="anchor" href="#_cve_2017_12628_privilege_escalation_using_jmx"></a>CVE-2017-12628 Privilege escalation using JMX</h3>
<div class="paragraph">
<p>The Apache James Server prior version 3.0.1 is vulnerable to Java deserialization issues.
One can use this for privilege escalation.
This issue can be mitigated by:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Upgrading to James 3.0.1 onward</p>
</li>
<li>
<p>Using a recent JRE (Exploit could not be reproduced on OpenJdk 8 u141)</p>
</li>
<li>
<p>Exposing JMX socket only to localhost (default behaviour)</p>
</li>
<li>
<p>Possibly running James in a container</p>
</li>
<li>
<p>Disabling JMX all-together (Guice only)</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>Read more <a href="http://james.apache.org//james/update/2017/10/20/james-3.0.1.html">here</a>.</p>
</div>
</div>
</div>
</div>
</article>
</div>
</main>
</div>
<footer class="footer">
<p>This page was built using the Antora default UI.</p>
<p>The source code for this UI is licensed under the terms of the MPL-2.0 license.</p>
</footer>
<script id="site-script" src="../../../_/js/site.js" data-ui-root-path="../../../_"></script>
<script async src="../../../_/js/vendor/highlight.js"></script>
</body>
</html>