User Alias Cheating

jon10 · May 02, 2015, 08:57:00 AM

Hey,
I have googled around a lot and can't seem to solve this.

If [email protected] adds [email protected] as an alias, usera is able to send emails on behalf of userb.
Furthermore usera can create any username e.g [email protected] as an alias and send emails using that new username.

How do I prevent this?
I assume its a postfix / courier issue?

Thanks!

SKaero · May 02, 2015, 04:17:42 PM

Actually its a Roundcube setting, you can add the following to your config.inc.php and change the value as you see fit.

Code Select


// Set identities access level:
// 0 - many identities with possibility to edit all params
// 1 - many identities with possibility to edit all params but not email address
// 2 - one identity with possibility to edit all params
// 3 - one identity with possibility to edit all params but not email address
// 4 - one identity with possibility to edit only signature
$config['identities_level'] = 0;

jon10 · May 03, 2015, 07:26:59 AM

Quote from: SKaero on May 02, 2015, 04:17:42 PM
Actually its a Roundcube setting, you can add the following to your config.inc.php and change the value as you see fit.
Code Select Expand
// Set identities access level: // 0 - many identities with possibility to edit all params // 1 - many identities with possibility to edit all params but not email address // 2 - one identity with possibility to edit all params // 3 - one identity with possibility to edit all params but not email address // 4 - one identity with possibility to edit only signature $config['identities_level'] = 0;

Dear SKaero thanks for the reply!
I am not sure if it is a roundcube setting, lets say a user were to connect to my mail server using telnet they would be able to send an email as any email address as long as they have the usn/pwd for one valid address.

Thanks,
- J

SKaero · May 04, 2015, 02:31:44 AM

Yes they would be able to send from any address. You would need to edit your mail server to completely prevent it.

jon10 · May 04, 2015, 05:22:10 AM

Quote from: SKaero on May 04, 2015, 02:31:44 AM
Yes they would be able to send from any address. You would need to edit your mail server to completely prevent it.

Indeed I would, do you have any instructions / advice on how I can do that?
I have already enabled postfix sasl user authentication using PAM to query the MySQL database which contains the usn/pwd table. But that doesn't seem to be working.

SKaero · May 04, 2015, 05:41:30 AM

Unfortunately I don't, I'd guess that you would want to code a script that would check/change the from line on the way out but I can't say how it would be best to do that.

User Alias Cheating

jon10

SKaero

jon10

SKaero

jon10

SKaero