Author Topic: User Alias Cheating (Read 4765 times)

jon10 · « **on:** May 02, 2015, 08:57:00 AM »

Hey,
I have googled around a lot and can't seem to solve this.

If usera@domain.com adds userb@domain.com as an alias, usera is able to send emails on behalf of userb.
Furthermore usera can create any username e.g random23@domain.com as an alias and send emails using that new username.

How do I prevent this?
I assume its a postfix / courier issue?

Thanks!

SKaero · « **Reply #1 on:** May 02, 2015, 04:17:42 PM »

Actually its a Roundcube setting, you can add the following to your config.inc.php and change the value as you see fit.

Code: [Select]

// Set identities access level:
// 0 - many identities with possibility to edit all params
// 1 - many identities with possibility to edit all params but not email address
// 2 - one identity with possibility to edit all params
// 3 - one identity with possibility to edit all params but not email address
// 4 - one identity with possibility to edit only signature
$config['identities_level'] = 0;

jon10 · « **Reply #2 on:** May 03, 2015, 07:26:59 AM »

Quote from: SKaero on May 02, 2015, 04:17:42 PM

Actually its a Roundcube setting, you can add the following to your config.inc.php and change the value as you see fit.
Code: [Select]
// Set identities access level: // 0 - many identities with possibility to edit all params // 1 - many identities with possibility to edit all params but not email address // 2 - one identity with possibility to edit all params // 3 - one identity with possibility to edit all params but not email address // 4 - one identity with possibility to edit only signature $config['identities_level'] = 0;

Dear SKaero thanks for the reply!
I am not sure if it is a roundcube setting, lets say a user were to connect to my mail server using telnet they would be able to send an email as any email address as long as they have the usn/pwd for one valid address.

Thanks,
- J

SKaero · « **Reply #3 on:** May 04, 2015, 02:31:44 AM »

Yes they would be able to send from any address. You would need to edit your mail server to completely prevent it.

jon10 · « **Reply #4 on:** May 04, 2015, 05:22:10 AM »

Quote from: SKaero on May 04, 2015, 02:31:44 AM

Yes they would be able to send from any address. You would need to edit your mail server to completely prevent it.

Indeed I would, do you have any instructions / advice on how I can do that?
I have already enabled postfix sasl user authentication using PAM to query the MySQL database which contains the usn/pwd table. But that doesn't seem to be working.

SKaero · « **Reply #5 on:** May 04, 2015, 05:41:30 AM »

Unfortunately I don't, I'd guess that you would want to code a script that would check/change the from line on the way out but I can't say how it would be best to do that.

Author Topic: User Alias Cheating (Read 4765 times)

jon10

User Alias Cheating

SKaero

Re: User Alias Cheating

jon10

Re: User Alias Cheating

SKaero

Re: User Alias Cheating

jon10

Re: User Alias Cheating

SKaero

Re: User Alias Cheating