SMTP Security

Apache James Server is configured by default to avoid being an SMTP open-relay.

SMTP Auth and "Verify Identity" options are enabled when you install James (read more).

Encryption Security

Apache James Server supports SSL/TLS (read more).

User Credential Security

Apache James Server supports different user storage (read more) - LDAP support is partial (work in progress).

Reported vulnerabilities

Apache James 3.0.0

The Apache James Server version 3.0.0 is vulnerable to Java deserialization issues.

One can use this for privilege escalation.

This issue can be mitigated by:

  • Upgrading to James 3.0.1
  • Using a recent JRE (Exploit could not be reproduced on OpenJdk 8 u141)
  • Exposing JMX socket only to localhost (default behaviour)
  • Possibly running James in a container

Read more here.