You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As of today, James relies on Apisix for OIDC enforcement and propagates the calls to james, identifying the user through the mean of X-User header.
This means that any access to the JMAP port onto James means full compromission (integrity and confidentiallity) of the underlying data.
While of course an attacker shall not breach onto a private network, having a seat-belt for this definitly can save the day!
Having a shared secret to prove identity of the caller could achieve this (caller would need either man-in-the-middle / compromise either APisix or James which would anyway in itself compromise the email data).
Such a shared secret would greatly reduce the attack surface...
How?
Have a configurable shared secret for X-User in jmap.properties:
Why?
As of today, James relies on Apisix for OIDC enforcement and propagates the calls to james, identifying the user through the mean of
X-User
header.This means that any access to the JMAP port onto James means full compromission (integrity and confidentiallity) of the underlying data.
While of course an attacker shall not breach onto a private network, having a seat-belt for this definitly can save the day!
Having a shared secret to prove identity of the caller could achieve this (caller would need either man-in-the-middle / compromise either APisix or James which would anyway in itself compromise the email data).
Such a shared secret would greatly reduce the attack surface...
How?
Have a configurable shared secret for X-User in jmap.properties:
If configured, XUserAuthenticationSStrategy would enforce the incoming request to have the following header:
And reject non compliant request with 401
We would need to modify our Apisix plugin to add the shared secret optionnally there too.
If omitted all requests are accepted (today behaviour)
Dod
The text was updated successfully, but these errors were encountered: