1

Topic: Identity forging using roundcube

Hi,

I find that one is able to create an alternate identity using roundcube. This is done without any verification and allows a user to send a mail using any email address. For instance if the valid mailserver user is mjackson@bad.com, he can add an identity stating bill.gates@microsoft.com and send an email using the same.

The issue I think is on the mailserver side, that should not accept mails from any other user other than mjackson@bad.com. Is there some configuration somewhere where we could limit or restrict this.

I am using the lates iredmail server.

Thanks in anticipation.

Regards,
Shomiron

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Identity forging using roundcube

What version of RoundCube are you using?

I'm using myself 0.3.1, and I have the following in the "main.inc.php" file:

$rcmail_config['identities_level'] = 3;

e.g., just 1 identity permitted and permissions to edit all data but not e-mail address.

3

Re: Identity forging using roundcube

Thanks,

This stops roundcube from setting up identities, however, we also need to stop the mailserver accepting messages from people claiming alternate identities, so some setting needs to change on the mailserver setting.

Regards,
Shomiron

maxie_ro wrote:

What version of RoundCube are you using?

I'm using myself 0.3.1, and I have the following in the "main.inc.php" file:

$rcmail_config['identities_level'] = 3;

e.g., just 1 identity permitted and permissions to edit all data but not e-mail address.

4

Re: Identity forging using roundcube

shomiron wrote:

however, we also need to stop the mailserver accepting messages from people claiming alternate identities

Normally iRedMail permits SMTP only from authenticated users (at least from my knowledge, I'm not a dev). What you describe should not happen normally. Check "mynetworks" parameter in postfix's "main.cf" file. You should normally only have "127.0.0.1/24" there.

Also check "smtpd_recipient_restrictions" and the rest of the file if it's not "mynetworks" causing problems.

5

Re: Identity forging using roundcube

You should use 'reject_sender_login_mismatch' in smtpd_sender_restrictions:

smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated

6

Re: Identity forging using roundcube

Zhang,

Tried, but postfix is still accepting emails from alternate / unverified identities.
my smtpd_sender_restrictions line looks exactly the same.

Thanks for the help.

Regards,
Shomiron

ZhangHuangbin wrote:

You should use 'reject_sender_login_mismatch' in smtpd_sender_restrictions:

smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated

7

Re: Identity forging using roundcube

reject_sender_login_mismatch is what you need. Try this:

smtpd_sender_restrictions = reject_sender_login_mismatch , permit_mynetworks, permit_sasl_authenticated

8

Re: Identity forging using roundcube

Done, it works now smile


ZhangHuangbin wrote:

reject_sender_login_mismatch , permit_mynetworks, permit_sasl_authenticated

9

Re: Identity forging using roundcube

Hi,
I have configure roundcube with identities_level = 0 and set reject_sender_login_mismatch before permit_mynetworks.

But I have several accounts that have as main domain like user@test.com

And several projects have their own domain like @toto.com

Some for example account user@test.com receive contact@toto.com mails and be able to respond from that sender.

The problem is that the alias is not attached to the user account of the coup can not send email from contact@toto.com
How do I proceed without disabling reject_sender_login_mismatch?