Hi ! There's a bug(some kind of) in all RCWM versions. If you are using RCWM and MTA on the same machine then postfix(for example) isn't asking the saslauth daemon that the user is authenticated(because the process is running on the localhost) - it depends on the client restrictions. If the user changes the identity to another account located on the server then he can easily send messages using unauthorized e-mail address. For example foo@foobar.com is able to send e-mails via the foobar@foobar.com acoount without authentication To avoid the users to change the identity you could use my suggested patch.
You can find it at http://gorzow-wlkp.eu/~warlock/rcwm-0.1.1-identity-fix.patch Simply, go to the RCWM directory and type: patch -p0 < rcwm-0.1.1-identity-fix.patch BTW: SORRY for my lame eng.
List info: http://lists.roundcube.net/dev/
Maciej Drobniuch wrote:
Hi ! There's a bug(some kind of) in all RCWM versions. If you are using RCWM and MTA on the same machine then postfix(for example) isn't asking the saslauth daemon that the user is authenticated(because the process is running on the localhost) - it depends on the client restrictions.
Depends completely on your postfix (or other MTA) config.
You probably have something like:
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated
While what you really want is:
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
Robin _______________________________________________ List info: http://lists.roundcube.net/dev/
Hi,
Maciej Drobniuch (Friday, 2008-05-02):
If you are using RCWM and MTA on the same machine then postfix(for example) isn't asking the saslauth daemon that the user is authenticated(because the process is running on the localhost) - it depends on the client restrictions. If the user changes the identity to another account located on the server then he can easily send messages using unauthorized e-mail address. For example foo@foobar.com is able to send e-mails via the foobar@foobar.com acoount without authentication To avoid the users to change the identity you could use my suggested patch.
So you want to remove wanted/needed functionality because your MTA is misconfigured? Imo this is the wrong way to go.
Patrick.
On Friday 02 May 2008 16:16:16 Maciej Drobniuch wrote:
Hi ! There's a bug(some kind of) in all RCWM versions. If you are using RCWM and MTA on the same machine then postfix(for example) isn't asking the saslauth daemon that the user is authenticated(because the process is running on the localhost) - it depends on the client restrictions. If the user changes the identity to another account located on the server then he can easily send messages using unauthorized e-mail address. For example foo@foobar.com is able to send e-mails via the foobar@foobar.com acoount without authentication To avoid the users to change the identity you could use my suggested patch.
You can find it at http://gorzow-wlkp.eu/~warlock/rcwm-0.1.1-identity-fix.patch Simply, go to the RCWM directory and type: patch -p0 < rcwm-0.1.1-identity-fix.patch BTW: SORRY for my lame eng.
i don't know.. i use different from addresses which all resolve to the same inbox. qmail e.g. has address extensions enabling foo@bar.com to use anything like foo-some@bar.com, foo-somemore@bar.com. and the user might want to use this feature for filtering. unless you use strict spf rules for the sender domain (and everybody else uses spf) and you deny your users direct access to your smtp (or use some way to lock the smtpauth login name to the sender email adress), you will always have someone sending mail with your email address.
use gpg to sign your mails. then anyone who's interested in authenticity can check.
List info: http://lists.roundcube.net/dev/
On Fri, 2 May 2008 16:50:08 +0200, Justin Heesemann ever-roundcube@blocksberg.com wrote:
use gpg to sign your mails. then anyone who's interested in authenticity can check.
http://getfiregpg.org/ <--- you can use this for example ;)
(I know, I shouldn't ^^)
Regards,
Patrick Nagel wrote:
So you want to remove wanted/needed functionality because your MTA is misconfigured? Imo this is the wrong way to go.
maybe you should elaborate a bit. not everyone on this list is a postfix/exim/qmail guru :).
cheers, raoul
Robin Elfrink wrote:
While what you really want is:
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
i'd opt for:
smtpd_sender_restrictions = reject_sender_login_mismatch permit_sasl_authenticated permit_mynetworks
smtpd_sender_login_maps = <fill in here>
that will prevent users from sending from other ids.
cheers, raoul
-
Justin Heesemann -
Maciej Drobniuch -
Maximilien Cuony -
Patrick Nagel -
Raoul Bhatia [IPAX] -
Robin Elfrink