1 Topic by InWeb

  • InWeb
  • Member
  • Offline
  • Registered: 2013-03-06
  • Posts: 22

Topic: RoundCube - Authenticated user in header?

==== Required information ====
- iRedMail version: 1.9.2
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: CentOS 6.5
====

Hello,

today one of my users changed the "identity" on RoundCube to another user, to send messages as him. In the mail headers, there's no reference to the autheticated webmail user. There is a way, in RoundCube or Postfix, to force a header like "X-Authenticated-User"? Or a way to disallow send messages when "from" is not the authenticated email account?

Thank you!

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by 7t3chguy

  • 7t3chguy
  • 7t3chguy
  • Forum Moderator
  • Offline
  • From: United Kingdom
  • Registered: 2015-01-08
  • Posts: 713

Re: RoundCube - Authenticated user in header?

By default Postfix will not allow you to send if the authenticated sender isn't the same as the FROM header.

Do you have the following line in your Postfix Main.cf file?

smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated

Follow this configuration if you want to 'Manage' who can send with different FROM headers:
http://www.iredmail.org/docs/allow.cert … .user.html
[You could specify just yourself or no one for that matter]

7t3chguy's Website

3 Reply by InWeb

  • InWeb
  • Member
  • Offline
  • Registered: 2013-03-06
  • Posts: 22

Re: RoundCube - Authenticated user in header?

Hello (again) 7t3chguy!

Yes, that's my line (default value, didn't change). Maybe this works only for external IPs, authenticated and connected on ports 465/587? My problem is only in webmail, IP 127.0.0.1 that is in the "permit_mynetworks":

mynetworks = 127.0.0.0/8

Maybe localhost is free of restrictions?

4 Reply by 7t3chguy

  • 7t3chguy
  • 7t3chguy
  • Forum Moderator
  • Offline
  • From: United Kingdom
  • Registered: 2015-01-08
  • Posts: 713

Re: RoundCube - Authenticated user in header?

I mostly use Roundcube and I got tripped up by it stopping me from sending with a forged FROM header, set up iRedAPD to manage this functionality using the link I provided above, this should remedy this situation while providing you a method of allowing certain users to have the ability to send from different addresses.
Let me know if it works for you

7t3chguy's Website

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: RoundCube - Authenticated user in header?

InWeb wrote:

In the mail headers, there's no reference to the autheticated webmail user.

You can set 'smtpd_sasl_authenticated_header=yes' in /etc/postfix/main.cf. Postfix will append a header with authenticated user name.

Reference: http://www.postfix.org/postconf.5.html# … ted_header

InWeb wrote:

Or a way to disallow send messages when "from" is not the authenticated email account?

You can adjust your Postfix settings like this (reject_sender_login_mismatch first):

smtpd_sender_restrictions = reject_sender_login_mismatch, permit_mynetworks, permit_sasl_authenticated

Or, use iRedAPD plugin `reject_sender_login_mismatch` (read comment in /opt/iredapd/reject_sender_login_mismatch.py for more details).

6 Reply by InWeb

  • InWeb
  • Member
  • Offline
  • Registered: 2013-03-06
  • Posts: 22

Re: RoundCube - Authenticated user in header?

Hi Zhang,

'smtpd_sasl_authenticated_header=yes' will work on webmail too? No problem to be "connected from 127.0.0.1"?

Thanks

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: RoundCube - Authenticated user in header?

Works with all emails sent by authenticated user.

8 Reply by InWeb

  • InWeb
  • Member
  • Offline
  • Registered: 2013-03-06
  • Posts: 22

Re: RoundCube - Authenticated user in header?

Thank you again, Zhang, I'll configure this option.

Rogerio