BIG Problem - Users able to send email from domains they don't have access to.

[mrfletch]

Quick question, I hope someone has delt with this as I would really like to move this from the 'testing' bin to up and running 100%. I run a small time hosting company using Apple Xserves running Mac OS X Server 10.4.10, which as you may know is the latest release. Roundcube installed beautifully, and was up and running within a few minutes. I would like to use it as the front-end to our IMAP service that we offer. Although I've found a little problem, and I don't know if it is something that needs to be fixed on my end, or on the Roundcube end.

Basically if our server hosts website-a.com belonging to user-a, and website-b.com belonging to user-b. I've noticed user-b can put his username/password into the fields, and then under the "Server" option put website-a.com and he will be able to send emails that appear to come from website-a.com even though he shouldn't be able to. I tried doing something similar to this using our current squirrel mail install, and found out if the user logs in using user-b he can only send emails from [email protected], not the other way around. I even tried logging him in under squirrel mail as [email protected] but it didn't allow that, as it shouldn't.

Any thoughts on how to fix this cross login problem I seem to be experiencing with roundcube?

Thanks,
Paul

P.S. Thanks Roundcube for putting your time into an open source webmail system. It is definitely the best I've found up-to-date.

[mrfletch]

Apparently it isn't a BIG problem as I guess there is a fix to it even though it eludes me at this moment. Any help would be great appreciated, although it appears the answer lies somewhere in Virtual Users. Apparently this keeps a users from 'cross logging in'.

Anyone ever set something up like this on a Mac OS X Server install, it uses POSTFIX for SMTP, and Cyrus for IMAP/POP? If I get it up and running I'll be sure to post information.

Thanks,
Paul