[Building Sakai] mailarchive / james rejected email notices not being sent

Mon Jan 30 10:41:39 PST 2012

Hi Kevin,

This issue the release meeting last Thursday. We decided that email archive
should send a rejection based off a template that doesn't contain any
information from the original email in it. It can't contain subject or body
or else it could be used for relaying. It could only contain the fixed
template message and information about the site that rejected. This would
hopefully be enough to help someone who accidentally sends from the wrong
email address or has their box mis-configured.

I also proposed adding in some minimal caching the response so someone
still couldn't use Sakai to bomb someone with these types of emails.

I don't have an ETA for the fix, but either myself or Aaron Z was going to
look into it *soon*.

I haven't tried that workaround either, but it seems like it would be a
security risk if you changed it.

On Mon, Jan 30, 2012 at 1:35 PM, Kevin Carruth <kcarruth at virginia.edu>wrote:

> We've recently noticed that when incoming emails are rejected by sakai,
> the original senders are not being notified by sakai's internal mailer.
> We're seeing this in two cases:
>   1) a user sends mail to a site for which he does not have permission
>   2) a user sends mail to a non-existent (bogus) site email address
>
> In case #1, tomcat logs an exception like this:
> ==========
> 2012-01-09 11:18:28,630 INFO Spool Thread #9
> org.sakaiproject.james.SakaiMailet - : mail rejected: from:
> kcarruth at gmail.com not authorized for site: mdstfaculty
> ==========
>
> In case #2, the log shows something like this:
> ==========
> 2012-01-09 11:20:14,477 INFO Spool Thread #6
> org.sakaiproject.james.SakaiMailet - <4F0B13BD.2080606 at virginia.edu> :
> mail rejected: org.sakaiproject.exception.IdUnusedException
> id=bogus-address
> ==========
>
> In either case, the user who sent the message sees nothing in response,
> no indication that something went wrong. James does seem to create
> rejection emails but then for some reason doesn't send them. Pairs of
> files are created in
>
>
> /usr/local/tomcat/webapps/sakai-mailarchive-james/apps/james/var/mail/address-error
>
> One file will be named "<identifier>.Repository.FileObjectStore", and
> the other "<identifier>.Repository.FileStreamStore". For example, I just
> generated a pair by sending to a bogus address:
>     4D61696C313332373432373733363435372D32333437.Repository.FileObjectStore
>     4D61696C313332373432373733363435372D32333437.Repository.FileStreamStore
>
> The 'FileStreamStore' file is a simple copy of the email sent, with
> headers and whatnot. The 'FileObjectStore' file is a binary file but
> when I read it, I can see some strings that would suggest its intent to
> be a rejection reply to the message sent in.
>
> I found https://jira.sakaiproject.org/browse/SAK-19841 , which suggests
> that this functionality changed in 2.6 to prevent spam relaying, and a
> user suggests a possible 'fix' by registering the machine's actual IP
> address (instead of the default 127.0.0.1 that's already there) in a
> mailarchive config.xml file under "RemoteAddrNotInNetwork", but that
> hasn't worked for us. It's also been suggested using
> "authorizedAddresses" config in the same xml file, but that hasn't
> worked either. We've tried both specific IP addresses and wildcard
> catch-alls.
>
> Has anyone had any success re-enabling these sorts of notifications in
> another manner, and if so, how?
>
> Thanks,
> Kevin @ UVa
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to
> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20120130/608343d1/attachment.html 