| <!DOCTYPE html> |
| <html lang="en"> |
| <head> |
| <meta charset="utf-8"> |
| <meta name="viewport" content="width=device-width,initial-scale=1"> |
| <title>Security checklist :: Apache James</title> |
| <meta name="generator" content="Antora 3.1.2"> |
| <link rel="stylesheet" href="../../../_/css/site.css"> |
| </head> |
| <body class="article"> |
| <header class="header"> |
| <nav class="navbar"> |
| <div class="navbar-brand"> |
| <a class="navbar-item" href="https://james.apache.org"><img src="/_/img/james.svg" alt="james logo"> Apache James</a> |
| <button class="navbar-burger" data-target="topbar-nav"> |
| <span></span> |
| <span></span> |
| <span></span> |
| </button> |
| </div> |
| <div id="topbar-nav" class="navbar-menu"> |
| <div class="navbar-end"> |
| <a class="navbar-item" href="#">Home</a> |
| <div class="navbar-item has-dropdown is-hoverable"> |
| <a class="navbar-link" href="#">Products</a> |
| <div class="navbar-dropdown"> |
| <div class="navbar-item"><strong>James server</strong></div> |
| <a class="navbar-item" href="https://github.com/apache/james-project">Repository</a> |
| <a class="navbar-item" href="https://issues.apache.org/jira/projects/JAMES/issues">Issue Tracker</a> |
| <hr class="navbar-divider"> |
| <a class="navbar-item" href="https://james.apache.org/mime4j/index.html">Mime4J</a> |
| <a class="navbar-item" href="https://james.apache.org/jsieve/index.html">jSieve</a> |
| <a class="navbar-item" href="https://james.apache.org/jspf/index.html">jSPF</a> |
| <a class="navbar-item" href="https://james.apache.org/jdkim/index.html">jDKIM</a> |
| <a class="navbar-item" href="https://james.apache.org/hupa/index.html">HUPA</a> |
| </div> |
| </div> |
| <div class="navbar-item has-dropdown is-hoverable"> |
| <a class="navbar-link" href="#">Community</a> |
| <div class="navbar-dropdown"> |
| <!-- Not ideal but dropping the version in the href requires tweaking james-projet docs module first --> |
| <a class="navbar-item" href="/james-project/3.6.0/community/mailing-lists.html">Mailing lists</a> |
| <a class="navbar-item" href="https://gitter.im/apache/james-project"><svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 32 32" class="logo-gitter-sign" data-v-44ebcb1a=""><rect x="15" y="5" width="2" height="10"></rect> <rect x="10" y="5" width="2" height="20"></rect> <rect x="5" y="5" width="2" height="20"></rect> <rect width="2" height="15"></rect></svg> Gitter</a> |
| <a class="navbar-item" href="https://twitter.com/ApacheJames"> |
| <span class="icon"> |
| <svg aria-hidden="true" data-icon="twitter" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"> |
| <path fill="#57aaee" d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"></path> |
| </svg> |
| </span> Twitter |
| </a> |
| <a class="navbar-item" href="#"> <svg class="octicon octicon-mark-github v-align-middle" viewBox="0 0 16 16" version="1.1" aria-hidden="true"><path fill-rule="evenodd" d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0016 8c0-4.42-3.58-8-8-8z"></path></svg> Github</a> |
| </div> |
| </div> |
| <!-- <div class="navbar-item"> |
| <span class="control"> |
| <a class="button is-primary" href="#">Download</a> |
| </span> |
| </div> --> |
| </div> |
| </div> |
| </nav> |
| </header> |
| <div class="body"> |
| <div class="nav-container" data-component="james-distributed-app" data-version="3.8.1"> |
| <aside class="nav"> |
| <div class="panels"> |
| <div class="nav-panel-menu is-active" data-panel="menu"> |
| <nav class="nav-menu"> |
| <button class="nav-menu-toggle" aria-label="Toggle expand/collapse all" style="display: none"></button> |
| <h3 class="title"><a href="../index.html">Apache James Distributed Server</a></h3> |
| <ul class="nav-list"> |
| <li class="nav-item" data-depth="0"> |
| <ul class="nav-list"> |
| <li class="nav-item" data-depth="1"> |
| <button class="nav-item-toggle"></button> |
| <a class="nav-link" href="../index.html">Distributed James Application</a> |
| <ul class="nav-list"> |
| <li class="nav-item" data-depth="2"> |
| <a class="nav-link" href="../objectives.html">Objectives and motivation</a> |
| </li> |
| <li class="nav-item" data-depth="2"> |
| <button class="nav-item-toggle"></button> |
| <a class="nav-link" href="../architecture/index.html">Architecture</a> |
| <ul class="nav-list"> |
| <li class="nav-item" data-depth="3"> |
| <a class="nav-link" href="../architecture/implemented-standards.html">Implemented standards</a> |
| </li> |
| <li class="nav-item" data-depth="3"> |
| <a class="nav-link" href="../architecture/consistency-model.html">Consistency Model</a> |
| </li> |
| <li class="nav-item" data-depth="3"> |
| <a class="nav-link" href="../architecture/specialized-instances.html">Specialized instances</a> |
| </li> |
| </ul> |
| </li> |
| <li class="nav-item" data-depth="2"> |
| <button class="nav-item-toggle"></button> |
| <a class="nav-link" href="../run/index.html">Run</a> |
| <ul class="nav-list"> |
| <li class="nav-item" data-depth="3"> |
| <a class="nav-link" href="../run/run-java.html">Run with Java</a> |
| </li> |
| <li class="nav-item" data-depth="3"> |
| <a class="nav-link" href="../run/run-docker.html">Run with Docker</a> |
| </li> |
| <li class="nav-item" data-depth="3"> |
| <button class="nav-item-toggle"></button> |
| <a class="nav-link" href="../run/run-kubernetes.html">Run with Kubernetes</a> |
| <ul class="nav-list"> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../run/k8s-checklist.html">Deployment Checklist</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../run/k8s-logsMetrics.html">Logs & Metrics</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../run/k8s-values.html">values.yaml</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../run/k8s-secrets.html">secrets.yaml</a> |
| </li> |
| </ul> |
| </li> |
| </ul> |
| </li> |
| <li class="nav-item" data-depth="2"> |
| <button class="nav-item-toggle"></button> |
| <a class="nav-link" href="../configure/index.html">Configuration</a> |
| <ul class="nav-list"> |
| <li class="nav-item" data-depth="3"> |
| <button class="nav-item-toggle"></button> |
| <span class="nav-text">Protocols</span> |
| <ul class="nav-list"> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/imap.html">imapserver.xml</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/jmap.html">jmap.properties</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/jmx.html">jmx.properties</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/smtp.html">smtpserver.xml & lmtpserver.xml</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/smtp-hooks.html">Packaged SMTP hooks</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/pop3.html">pop3server.xml</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/webadmin.html">webadmin.properties</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/ssl.html">SSL & TLS</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/sieve.html">Sieve & ManageSieve</a> |
| </li> |
| </ul> |
| </li> |
| <li class="nav-item" data-depth="3"> |
| <button class="nav-item-toggle"></button> |
| <span class="nav-text">Storage dependencies</span> |
| <ul class="nav-list"> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/blobstore.html">blobstore.properties</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/cassandra.html">cassandra.properties</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/opensearch.html">opensearch.properties</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/rabbitmq.html">rabbitmq.properties</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/redis.html">redis.properties</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/tika.html">tika.properties</a> |
| </li> |
| </ul> |
| </li> |
| <li class="nav-item" data-depth="3"> |
| <button class="nav-item-toggle"></button> |
| <span class="nav-text">Core components</span> |
| <ul class="nav-list"> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/batchsizes.html">batchsizes.properties</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/dns.html">dnsservice.xml</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/domainlist.html">domainlist.xml</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/healthcheck.html">healthcheck.properties</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/mailetcontainer.html">mailetcontainer.xml</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/mailets.html">Packaged Mailets</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/matchers.html">Packaged Matchers</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/mailrepositorystore.html">mailrepositorystore.xml</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/recipientrewritetable.html">recipientrewritetable.xml</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/search.html">search.properties</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/usersrepository.html">usersrepository.xml</a> |
| </li> |
| </ul> |
| </li> |
| <li class="nav-item" data-depth="3"> |
| <button class="nav-item-toggle"></button> |
| <span class="nav-text">Extensions</span> |
| <ul class="nav-list"> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/vault.html">deletedMessageVault.properties</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/extensions.html">extensions.properties</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/listeners.html">listeners.xml</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/spam.html">Anti-Spam setup</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/remote-delivery-error-handling.html">About RemoteDelivery error handling</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/collecting-contacts.html">Contact collection</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/collecting-events.html">Event collection</a> |
| </li> |
| <li class="nav-item" data-depth="4"> |
| <a class="nav-link" href="../configure/dsn.html">ESMTP DSN support</a> |
| </li> |
| </ul> |
| </li> |
| </ul> |
| </li> |
| <li class="nav-item" data-depth="2"> |
| <button class="nav-item-toggle"></button> |
| <a class="nav-link" href="index.html">Operate</a> |
| <ul class="nav-list"> |
| <li class="nav-item" data-depth="3"> |
| <a class="nav-link" href="guide.html">Operator guide</a> |
| </li> |
| <li class="nav-item" data-depth="3"> |
| <a class="nav-link" href="performanceChecklist.html">Performance checklist</a> |
| </li> |
| <li class="nav-item" data-depth="3"> |
| <a class="nav-link" href="logging.html">Logging</a> |
| </li> |
| <li class="nav-item" data-depth="3"> |
| <a class="nav-link" href="webadmin.html">WebAdmin REST administration API</a> |
| </li> |
| <li class="nav-item" data-depth="3"> |
| <a class="nav-link" href="metrics.html">Metrics</a> |
| </li> |
| <li class="nav-item" data-depth="3"> |
| <a class="nav-link" href="migrating.html">Migrating existing data</a> |
| </li> |
| <li class="nav-item" data-depth="3"> |
| <a class="nav-link" href="cli.html">Command Line Interface</a> |
| </li> |
| <li class="nav-item" data-depth="3"> |
| <a class="nav-link" href="cassandra-migration.html">Cassandra migration</a> |
| </li> |
| <li class="nav-item is-current-page" data-depth="3"> |
| <a class="nav-link" href="security.html">Security checklist</a> |
| </li> |
| </ul> |
| </li> |
| <li class="nav-item" data-depth="2"> |
| <button class="nav-item-toggle"></button> |
| <a class="nav-link" href="../extending/index.html">Extending server behavior</a> |
| <ul class="nav-list"> |
| <li class="nav-item" data-depth="3"> |
| <a class="nav-link" href="../extending/mail-processing.html">Custom mail processing components</a> |
| </li> |
| <li class="nav-item" data-depth="3"> |
| <a class="nav-link" href="../extending/mailbox-listeners.html">Custom Mailbox Listeners</a> |
| </li> |
| <li class="nav-item" data-depth="3"> |
| <a class="nav-link" href="../extending/smtp-hooks.html">Custom SMTP hooks</a> |
| </li> |
| <li class="nav-item" data-depth="3"> |
| <a class="nav-link" href="../extending/webadmin-routes.html">Custom WebAdmin routes</a> |
| </li> |
| <li class="nav-item" data-depth="3"> |
| <a class="nav-link" href="../extending/imap.html">Custom IMAP processing</a> |
| </li> |
| </ul> |
| </li> |
| <li class="nav-item" data-depth="2"> |
| <button class="nav-item-toggle"></button> |
| <a class="nav-link" href="../benchmark/index.html">Performance benchmark</a> |
| <ul class="nav-list"> |
| <li class="nav-item" data-depth="3"> |
| <a class="nav-link" href="../benchmark/db-benchmark.html">Database benchmarks</a> |
| </li> |
| <li class="nav-item" data-depth="3"> |
| <a class="nav-link" href="../benchmark/james-benchmark.html">James benchmarks</a> |
| </li> |
| </ul> |
| </li> |
| </ul> |
| </li> |
| </ul> |
| </li> |
| </ul> |
| </nav> |
| </div> |
| <div class="nav-panel-explore" data-panel="explore"> |
| <div class="context"> |
| <span class="title">Apache James Distributed Server</span> |
| <span class="version">3.8.1 SNAPSHOT</span> |
| </div> |
| <ul class="components"> |
| <li class="component is-current"> |
| <div class="title"><a href="../index.html">Apache James Distributed Server</a></div> |
| <ul class="versions"> |
| <li class="version is-current is-latest"> |
| <a href="../index.html">3.8.1 SNAPSHOT</a> |
| </li> |
| </ul> |
| </li> |
| <li class="component"> |
| <div class="title"><a href="../../../james-project/3.8.1/index.html">Apache James Server</a></div> |
| <ul class="versions"> |
| <li class="version is-latest"> |
| <a href="../../../james-project/3.8.1/index.html">3.8.1 SNAPSHOT</a> |
| </li> |
| <li class="version"> |
| <a href="../../../james-project/3.6.0/index.html">3.6.0 Snapshot</a> |
| </li> |
| </ul> |
| </li> |
| <li class="component"> |
| <div class="title"><a href="../../../james-site/latest/index.html">Apache James Site</a></div> |
| <ul class="versions"> |
| <li class="version is-latest"> |
| <a href="../../../james-site/latest/index.html">latest</a> |
| </li> |
| </ul> |
| </li> |
| </ul> |
| </div> |
| </div> |
| </aside> |
| </div> |
| <main class="article"> |
| <div class="toolbar" role="navigation"> |
| <button class="nav-toggle"></button> |
| <a href="../../../james-site/latest/homepage.html" class="home-link"></a> |
| <nav class="breadcrumbs" aria-label="breadcrumbs"> |
| <ul> |
| <li><a href="../index.html">Apache James Distributed Server</a></li> |
| <li><a href="../index.html">Distributed James Application</a></li> |
| <li><a href="index.html">Operate</a></li> |
| <li><a href="security.html">Security checklist</a></li> |
| </ul> |
| </nav> |
| <div class="edit-this-page"><a href="https://github.com/apache/james-project/blob/master/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc">Edit this Page</a></div> |
| </div> |
| <div class="content"> |
| <aside class="toc sidebar" data-title="Contents" data-levels="2"> |
| <div class="toc-menu"></div> |
| </aside> |
| <article class="doc"> |
| <h1 class="page">Security checklist</h1> |
| <div id="preamble"> |
| <div class="sectionbody"> |
| <div class="paragraph"> |
| <p>This document aims as summarizing threats, security best practices as well as recommendations.</p> |
| </div> |
| </div> |
| </div> |
| <div class="sect1"> |
| <h2 id="_threats"><a class="anchor" href="#_threats"></a>Threats</h2> |
| <div class="sectionbody"> |
| <div class="paragraph"> |
| <p>Operating an email server exposes you to the following threats:</p> |
| </div> |
| <div class="ulist"> |
| <ul> |
| <li> |
| <p>Spammers might attempt to use your servers to send their spam messages on their behalf. We speak of |
| <strong>open relay</strong>. In addition to the resources consumed being an open relay will affect the trust other mail |
| installations have in you, and thus will cause legitimate traffic to be rejected.</p> |
| </li> |
| <li> |
| <p>Emails mostly consist of private data, which shall only be accessed by their legitimate user. Failure |
| to do so might result in <strong>information disclosure</strong>.</p> |
| </li> |
| <li> |
| <p><strong>Email forgery</strong>. An attacker might craft an email on the behalf of legitimate users.</p> |
| </li> |
| <li> |
| <p>Email protocols allow user to authenticate and thus can be used as <strong>oracles</strong> to guess user passwords.</p> |
| </li> |
| <li> |
| <p><strong>Spam</strong>. Non legitimate traffic can be a real burden to your users.</p> |
| </li> |
| <li> |
| <p><strong>Phishing</strong>: Crafted emails that tricks the user into doing unintended actions.</p> |
| </li> |
| <li> |
| <p><strong>Viruses</strong>: An attacker sends an attachment that contains an exploit that could run if a user opens it.</p> |
| </li> |
| <li> |
| <p><strong>Denial of service</strong>: A small request may result in a very large response and require considerable work on the server…​</p> |
| </li> |
| <li> |
| <p><strong>Denial of service</strong>: A malicious JMAP client may use the JMAP push subscription to attempt to flood a third party |
| server with requests, creating a denial-of-service attack and masking the attacker’s true identity.</p> |
| </li> |
| <li> |
| <p><strong>Dictionary Harvest Attacks</strong>: An attacker can rely on SMTP command reply code to know if a user exists or not. This |
| can be used to obtain the list of local users and later use those address as targets for other attacks.</p> |
| </li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| <div class="sect1"> |
| <h2 id="_best_practices"><a class="anchor" href="#_best_practices"></a>Best practices</h2> |
| <div class="sectionbody"> |
| <div class="paragraph"> |
| <p>The following sections ranks best practices.</p> |
| </div> |
| <div class="sect2"> |
| <h3 id="_best_practices_must"><a class="anchor" href="#_best_practices_must"></a>Best practices: Must</h3> |
| <div class="ulist"> |
| <ul> |
| <li> |
| <p>1. Configure James in order not to be an <a href="../configure/smtp.html#_about_open_relays" class="xref page">open relay</a>. This should be the |
| case with the default configuration.</p> |
| </li> |
| </ul> |
| </div> |
| <div class="paragraph"> |
| <p>Be sure in <a href="../configure/smtp.html" class="xref page">smtpserver.xml</a> to activate the following options: <code>verifyIdentity</code>.</p> |
| </div> |
| <div class="paragraph"> |
| <p>We then recommend to manually test your installation in order to ensure that:</p> |
| </div> |
| <div class="ulist"> |
| <ul> |
| <li> |
| <p>Unauthenticated SMTP users cannot send mails to external email addresses (they are not relayed)</p> |
| </li> |
| <li> |
| <p>Unauthenticated SMTP users can send mails to internal email addresses</p> |
| </li> |
| <li> |
| <p>Unauthenticated SMTP users cannot use local addresses in their mail from, and send emails both locally and to distant targets.</p> |
| </li> |
| <li> |
| <p>2. Avoid <strong>STARTTLS</strong> usage and favor SSL. Upgrade from a non encrypted channel into an encrypted channel is an opportunity |
| for additional vulnerabilities. This is easily prevented by requiring SSL connection upfront. <a href="https://nostarttls.secvuln.info/">Read more…​</a></p> |
| </li> |
| </ul> |
| </div> |
| <div class="paragraph"> |
| <p>Please note that STARTTLS is still beneficial in the context of email relaying, which happens on SMTP port 25 unencrypted, |
| and enable opportunistic encryption upgrades that would not overwise be possible. We recommend keeping STARTTLS activated |
| for SMTP port 25.</p> |
| </div> |
| <div class="ulist"> |
| <ul> |
| <li> |
| <p>3. Use SSL for <a href="../configure/mailets.html#_remotedelivery" class="xref page">remote delivery</a> whenever you are using a gateway relaying SMTP server.</p> |
| </li> |
| <li> |
| <p>4. Rely on an external identity service, dedicated to user credential storage. James supports <a href="../configure/usersrepository.html#_configuring_a_ldap" class="xref page">LDAP</a>. If you are |
| forced to store users in James be sure to choose <code>PBKDF2</code> as a hashing algorithm. Also, delays on authentication failures |
| are supported via the <code>verifyFailureDelay</code> property. Note that IMAP / SMTP connections are closed after 3 authentication |
| failures.</p> |
| </li> |
| <li> |
| <p>5. Ensure that <a href="../configure/webadmin.html" class="xref page">WebAdmin</a> is not exposed unencrypted to the outer world. Doing so trivially |
| exposes yourself. You can either disable it, activate JWT security, or restrict it to listen only on localhost.</p> |
| </li> |
| <li> |
| <p>6. Set up <code>HTTPS</code> for http based protocols, namely <strong>JMAP</strong> and <strong>WebAdmin</strong>. We recommend the use of a reverse proxy like Nginx.</p> |
| </li> |
| <li> |
| <p>7. Set up <a href="https://james.apache.org/howTo/spf.html">SPF</a> and <a href="https://james.apache.org/howTo/dkim.html">DKIM</a> |
| for your outgoing emails to be trusted.</p> |
| </li> |
| <li> |
| <p>8. Prevent access to JMX. This can be achieved through a strict firewalling policy |
| (<a href="https://nickbloor.co.uk/2017/10/22/analysis-of-cve-2017-12628/">blocking port 9999 is not enough</a>) |
| or <a href="../configure/jmx.html" class="xref page">disabling JMX</a>. JMX is needed to use the existing CLI application but webadmin do offer similar |
| features. Set the <code>jmx.remote.x.mlet.allow.getMBeansFromURL</code> to <code>false</code> to disable JMX remote code execution feature.</p> |
| </li> |
| <li> |
| <p>9. If JMAP is enabled, be sure that JMAP PUSH cannot be used for server side request forgery. This can be |
| <a href="../configure/jmap.html" class="xref page">configured</a> using the <code>push.prevent.server.side.request.forgery=true</code> property, |
| forbidding push to private addresses.</p> |
| </li> |
| </ul> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="_best_practice_should"><a class="anchor" href="#_best_practice_should"></a>Best practice: Should</h3> |
| <div class="ulist"> |
| <ul> |
| <li> |
| <p>1. Avoid advertising login/authenticate capabilities in clear channels. This might prevent some clients to attempt login |
| on clear channels, and can be configured for both <a href="../configure/smtp.html" class="xref page">SMTP</a> and <a href="../configure/imap.html" class="xref page">IMAP</a> |
| using <code>auth.plainAuthEnabled=false</code>.</p> |
| </li> |
| <li> |
| <p>2. Verify <a href="https://james.apache.org/howTo/spf.html">SPF</a> and <a href="../configure/mailets.html#_dkimverify" class="xref page">DKIM</a> for your incoming emails.</p> |
| </li> |
| <li> |
| <p>3. Set up reasonable <a href="webadmin.html#_administrating_quotas" class="xref page">storage quota</a> for your users.</p> |
| </li> |
| <li> |
| <p>4. We recommend setting up anti-spam and anti-virus solutions. James comes with some <a href="../configure/spam.html" class="xref page">Rspamd and SpamAssassin</a> |
| integration, and some <a href="../configure/mailets.html#_clamavscan" class="xref page">ClamAV</a> tooling exists. |
| Rspamd supports anti-phishing modules. |
| Filtering with third party systems upstream is also possible.</p> |
| </li> |
| <li> |
| <p>5. In order to limit your attack surface, disable protocols you or your users do not use. This includes the JMAP protocol, |
| POP3, ManagedSieve, etc…​ Be conservative on what you expose.</p> |
| </li> |
| <li> |
| <p>6. If operating behind a load-balancer, set up the <a href="https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt">PROXY protocol</a> for |
| TCP based protocols (IMAP and SMTP <code>proxyRequired</code> option)</p> |
| </li> |
| </ul> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="_best_practice_could"><a class="anchor" href="#_best_practice_could"></a>Best practice: Could</h3> |
| <div class="ulist"> |
| <ul> |
| <li> |
| <p>1. Set up <a href="https://openid.net/connect/">OIDC</a> for IMAP, SMTP and JMAP. Disable login/plain/basic authentication.</p> |
| </li> |
| <li> |
| <p>2. You can configure <a href="../configure/ssl.html#_client_authentication_via_certificates" class="xref page">Client authentication via certificates</a>.</p> |
| </li> |
| <li> |
| <p>3. You can <a href="../configure/mailets.html#_smimesign" class="xref page">sign</a>, <a href="../configure/mailets.html#_smimechecksignature" class="xref page">verify</a> |
| and <a href="../configure/mailets.html#_smimedecrypt" class="xref page">decrypt</a> your email traffic using <a href="https://datatracker.ietf.org/doc/html/rfc5751">SMIME</a>.</p> |
| </li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| </div> |
| <div class="sect1"> |
| <h2 id="_known_vulnerabilities"><a class="anchor" href="#_known_vulnerabilities"></a>Known vulnerabilities</h2> |
| <div class="sectionbody"> |
| <div class="paragraph"> |
| <p>Several vulnerabilities have had been reported for previous releases of Apache James server.</p> |
| </div> |
| <div class="paragraph"> |
| <p>Be sure not to run those! We highly recommend running the latest release, which we put great effort in not to use |
| outdated dependencies.</p> |
| </div> |
| <div class="sect2"> |
| <h3 id="_reporting_vulnerabilities"><a class="anchor" href="#_reporting_vulnerabilities"></a>Reporting vulnerabilities</h3> |
| <div class="paragraph"> |
| <p>We follow the standard procedures within the ASF regarding <a href="https://apache.org/security/committers.html#vulnerability-handling">vulnerability handling</a></p> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="_cve_2024_21742_mime4j_dom_header_injection"><a class="anchor" href="#_cve_2024_21742_mime4j_dom_header_injection"></a>CVE-2024-21742: Mime4J DOM header injection</h3> |
| <div class="paragraph"> |
| <p>Apache JAMES MIME4J prior to version 0.8.10 allow attackers able to specify the value of a header field to craft other header fields.</p> |
| </div> |
| <div class="paragraph"> |
| <p><strong>Severity</strong>: Moderate</p> |
| </div> |
| <div class="paragraph"> |
| <p><strong>Mitigation</strong>: Release 0.8.10 rejects the use of LF inside a header field thus preventing the issue.</p> |
| </div> |
| <div class="paragraph"> |
| <p>Upgrading to Apache James MIME4J 0.8.10 is thus advised.</p> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="_cve_2023_51747_smtp_smuggling_in_apache_james"><a class="anchor" href="#_cve_2023_51747_smtp_smuggling_in_apache_james"></a>CVE-2023-51747: SMTP smuggling in Apache James</h3> |
| <div class="paragraph"> |
| <p>Apache James distribution prior to release 3.7.5 and release 3.8.1 is subject to SMTP smuggling, when used in combination |
| of antother vulnerable server and can result in SPF bypass, leading to email forgery.</p> |
| </div> |
| <div class="paragraph"> |
| <p><strong>Severity</strong>: High</p> |
| </div> |
| <div class="paragraph"> |
| <p><strong>Mitigation</strong>: Release 3.7.5 and 3.8.1 interpret strictly the CRLF delimiter and thus prevent the issue.</p> |
| </div> |
| <div class="paragraph"> |
| <p>Upgrading to Apache James 3.7.5 or 3.8.1 is thus advised.</p> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="_cve_2023_51518_privilege_escalation_via_jmx_pre_authentication_deserialisation"><a class="anchor" href="#_cve_2023_51518_privilege_escalation_via_jmx_pre_authentication_deserialisation"></a>CVE-2023-51518: Privilege escalation via JMX pre-authentication deserialisation</h3> |
| <div class="paragraph"> |
| <p>Apache James distribution prior to release 3.7.5 and 3.8.1 allow privilege escalation via JMX pre-authentication deserialisation. |
| An attacker would need to identify a deserialization glitch before triggering an exploit.</p> |
| </div> |
| <div class="paragraph"> |
| <p><strong>Severity</strong>: Moderate</p> |
| </div> |
| <div class="paragraph"> |
| <p><strong>Mitigation</strong>:We recommend turning off JMX whenever possible.</p> |
| </div> |
| <div class="paragraph"> |
| <p>Release 3.7.5 and 3.8.1 disable deserialization on unauthencited channels.</p> |
| </div> |
| <div class="paragraph"> |
| <p>Upgrading to Apache James 3.7.5 on 3.8.1 is thus advised.</p> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="_cve_2023_26269_privilege_escalation_through_unauthenticated_jmx"><a class="anchor" href="#_cve_2023_26269_privilege_escalation_through_unauthenticated_jmx"></a>CVE-2023-26269: Privilege escalation through unauthenticated JMX</h3> |
| <div class="paragraph"> |
| <p>Apache James distribution prior to release 3.7.4 allows privilege escalation through the use of JMX.</p> |
| </div> |
| <div class="paragraph"> |
| <p><strong>Severity</strong>: Moderate</p> |
| </div> |
| <div class="paragraph"> |
| <p><strong>Mitigation</strong>: We recommend turning on authentication on. If the CLI is unused we recommend turning JMX off.</p> |
| </div> |
| <div class="paragraph"> |
| <p>Release 3.7.4 set up implicitly JMX authentication for Guice based products and addresses the underlying JMX exploits.</p> |
| </div> |
| <div class="paragraph"> |
| <p>Upgrading to Apache James 3.7.4 is thus advised.</p> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="_cve_2022_45935_temporary_file_information_disclosure_in_apache_james"><a class="anchor" href="#_cve_2022_45935_temporary_file_information_disclosure_in_apache_james"></a>CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES</h3> |
| <div class="paragraph"> |
| <p>Apache James distribution prior to release 3.7.3 is vulnerable to a temporary File Information Disclosure.</p> |
| </div> |
| <div class="paragraph"> |
| <p><strong>Severity</strong>: Moderate</p> |
| </div> |
| <div class="paragraph"> |
| <p><strong>Mitigation</strong>: We recommend to upgrade to Apache James 3.7.3 or higher, which fixes this vulnerability.</p> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="_cve_2021_44228_starttls_command_injection_in_apache_james"><a class="anchor" href="#_cve_2021_44228_starttls_command_injection_in_apache_james"></a>CVE-2021-44228: STARTTLS command injection in Apache JAMES</h3> |
| <div class="paragraph"> |
| <p>Apache James distribution prior to release 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command.</p> |
| </div> |
| <div class="paragraph"> |
| <p>Fix of CVE-2021-38542, which solved similar problem from Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.</p> |
| </div> |
| <div class="paragraph"> |
| <p><strong>Severity</strong>: Moderate</p> |
| </div> |
| <div class="paragraph"> |
| <p><strong>Mitigation</strong>: We recommend to upgrade to Apache James 3.7.1 or higher, which fixes this vulnerability.</p> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="_cve_2021_38542_apache_james_vulnerable_to_starttls_command_injection_imap_and_pop3"><a class="anchor" href="#_cve_2021_38542_apache_james_vulnerable_to_starttls_command_injection_imap_and_pop3"></a>CVE-2021-38542: Apache James vulnerable to STARTTLS command injection (IMAP and POP3)</h3> |
| <div class="paragraph"> |
| <p>Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS |
| command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage |
| of sensible information.</p> |
| </div> |
| <div class="paragraph"> |
| <p><strong>Severity</strong>: Moderate</p> |
| </div> |
| <div class="paragraph"> |
| <p>This issue is being tracked as <a href="https://issues.apache.org/jira/browse/JAMES-1862">JAMES-1862</a></p> |
| </div> |
| <div class="paragraph"> |
| <p><strong>Mitigation</strong>: We recommend upgrading to Apache James 3.6.1, which fixes this vulnerability.</p> |
| </div> |
| <div class="paragraph"> |
| <p>Furthermore, we recommend, if possible to dis-activate STARTTLS and rely solely on explicit TLS for mail protocols, including SMTP, IMAP and POP3.</p> |
| </div> |
| <div class="paragraph"> |
| <p>Read more <a href="https://nostarttls.secvuln.info/">about STARTTLS security here</a>.</p> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="_cve_2021_40110_apache_james_imap_vulnerable_to_a_redos"><a class="anchor" href="#_cve_2021_40110_apache_james_imap_vulnerable_to_a_redos"></a>CVE-2021-40110: Apache James IMAP vulnerable to a ReDoS</h3> |
| <div class="paragraph"> |
| <p>Using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial |
| Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1</p> |
| </div> |
| <div class="paragraph"> |
| <p><strong>Severity</strong>: Moderate</p> |
| </div> |
| <div class="paragraph"> |
| <p>This issue is being tracked as <a href="https://issues.apache.org/jira/browse/JAMES-3635">JAMES-3635</a></p> |
| </div> |
| <div class="paragraph"> |
| <p><strong>Mitigation</strong>: We recommend upgrading to Apache James 3.6.1, which enforce the use of RE2J regular |
| expression engine to execute regex in linear time without back-tracking.</p> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="_cve_2021_40111_apache_james_imap_parsing_denial_of_service"><a class="anchor" href="#_cve_2021_40111_apache_james_imap_parsing_denial_of_service"></a>CVE-2021-40111: Apache James IMAP parsing Denial Of Service</h3> |
| <div class="paragraph"> |
| <p>While fuzzing with Jazzer the IMAP parsing stack we discover that crafted APPEND and STATUS IMAP command |
| could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. |
| This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this |
| vulnerability. This affected Apache James prior to version 3.6.1.</p> |
| </div> |
| <div class="paragraph"> |
| <p><strong>Severity</strong>: Moderate</p> |
| </div> |
| <div class="paragraph"> |
| <p>This issue is being tracked as <a href="https://issues.apache.org/jira/browse/JAMES-3634">JAMES-3634</a></p> |
| </div> |
| <div class="paragraph"> |
| <p><strong>Mitigation</strong>: We recommend upgrading to Apache James 3.6.1, which fixes this vulnerability.</p> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="_cve_2021_40525_apache_james_sieve_file_storage_vulnerable_to_path_traversal_attacks"><a class="anchor" href="#_cve_2021_40525_apache_james_sieve_file_storage_vulnerable_to_path_traversal_attacks"></a>CVE-2021-40525: Apache James: Sieve file storage vulnerable to path traversal attacks</h3> |
| <div class="paragraph"> |
| <p>Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable |
| to path traversal, allowing reading and writing any file.</p> |
| </div> |
| <div class="paragraph"> |
| <p><strong>Severity</strong>: Moderate</p> |
| </div> |
| <div class="paragraph"> |
| <p>This issue is being tracked as <a href="https://issues.apache.org/jira/browse/JAMES-3646">JAMES-3646</a></p> |
| </div> |
| <div class="paragraph"> |
| <p><strong>Mitigation</strong>:This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade.</p> |
| </div> |
| <div class="paragraph"> |
| <p>This could also be mitigated by ensuring manageSieve is disabled, which is the case by default.</p> |
| </div> |
| <div class="paragraph"> |
| <p>Distributed and Cassandra based products are also not impacted.</p> |
| </div> |
| </div> |
| <div class="sect2"> |
| <h3 id="_cve_2017_12628_privilege_escalation_using_jmx"><a class="anchor" href="#_cve_2017_12628_privilege_escalation_using_jmx"></a>CVE-2017-12628 Privilege escalation using JMX</h3> |
| <div class="paragraph"> |
| <p>The Apache James Server prior version 3.0.1 is vulnerable to Java deserialization issues. |
| One can use this for privilege escalation. |
| This issue can be mitigated by:</p> |
| </div> |
| <div class="ulist"> |
| <ul> |
| <li> |
| <p>Upgrading to James 3.0.1 onward</p> |
| </li> |
| <li> |
| <p>Using a recent JRE (Exploit could not be reproduced on OpenJdk 8 u141)</p> |
| </li> |
| <li> |
| <p>Exposing JMX socket only to localhost (default behaviour)</p> |
| </li> |
| <li> |
| <p>Possibly running James in a container</p> |
| </li> |
| <li> |
| <p>Disabling JMX all-together (Guice only)</p> |
| </li> |
| </ul> |
| </div> |
| <div class="paragraph"> |
| <p>Read more <a href="http://james.apache.org//james/update/2017/10/20/james-3.0.1.html">here</a>.</p> |
| </div> |
| </div> |
| </div> |
| </div> |
| </article> |
| </div> |
| </main> |
| </div> |
| <footer class="footer"> |
| <p>This page was built using the Antora default UI.</p> |
| <p>The source code for this UI is licensed under the terms of the MPL-2.0 license.</p> |
| </footer> |
| <script id="site-script" src="../../../_/js/site.js" data-ui-root-path="../../../_"></script> |
| <script async src="../../../_/js/vendor/highlight.js"></script> |
| </body> |
| </html> |