Koozali.org: home of the SME Server

Contribs.org Forums => General Discussion => Topic started by: gotagug on June 21, 2022, 03:27:04 AM

Title: customize from address
Post by: gotagug on June 21, 2022, 03:27:04 AM

Hi guys,

In thunderbird, there is an option wherein you can customize the"From" address. My issue is the sme server allows the message to be sent because it has a valid username and password. Is there a way so that the sme server will not allow this scenario?

Title: Re: customize from address
Post by: ReetP on June 21, 2022, 11:54:16 AM

Hi.

Can you be a little more specific here?

Quote

In thunderbird, there is an option wherein you can customize the"From" address

OK.

Quote

My issue is the sme server allows the message to be sent because it has a valid username and password.

SME usually allows any authenticated user to send email. I don't believe it has any relationship to the "From" setting. It is based on the user name which you can see in Thunderbird Preferences/Security/Saved logins

So you can change to any 'From' address but it won't authenticate without the correct username/password.

Title: Re: customize from address
Post by: Jean-Philippe Pialasse on June 21, 2022, 01:21:20 PM

I understand the need.

While it is practical, it allow one user to impersonate another user by sending a mail from anotheruser@yourdomain.com it allows too to send a mail with a from anotheruser@anotherdomain.com unless the dmarc / dkim / spf settings prevent you to do so.


checking user is permitted to use the from email could be done at qpsmtpd level with a plugin in theory. not sure one exists to do so.

Title: Re: customize from address
Post by: gotagug on June 22, 2022, 04:13:44 AM

Quote from: Jean-Philippe Pialasse on June 21, 2022, 01:21:20 PM

I understand the need.

While it is practical, it allow one user to impersonate another user by sending a mail from anotheruser@yourdomain.com it allows too to send a mail with a from anotheruser@anotherdomain.com unless the dmarc / dkim / spf settings prevent you to do so.


checking user is permitted to use the from email could be done at qpsmtpd level with a plugin in theory. not sure one exists to do so.

how can i prevent the user (user@mydomain.com) from impersonating an email address (anotheruser@mydomain.com) if he has a valid username and password?

Title: Re: customize from address
Post by: Jean-Philippe Pialasse on June 22, 2022, 06:12:49 AM

by writing your own qpsmtpd plugin
and
creating using a template a config file with a username per line and all accepted email after a : and coma separated :
username:username,allowedpseudo1,allowedpseudo2,allowedgroup

the chalenge will be also to accept pseudonyms with @ and to accept all domains configured on your sme or not when creating this file.

Title: Re: customize from address
Post by: Jean-Philippe Pialasse on June 22, 2022, 06:15:02 AM

that said, when you check the header of the mail the logged user should be visible from memory or at least in your qpsmtpd log. so the one impersonating another can be found.