Deny mail spoofing

lxix

Hey everyone,

Do anyone know how to reliably configure the email role to deny mail spoofing? I have default settings, except that i have smarthost configured (mailbaby).

The problem:
I manage my own email in enhance, so i have an email address for xy@myhosting.com. I've also created an email address for one of my client: xyclient@clientsite.com. Now, if i log in with xyclient@clientsite.com in roundcube, i can add xz@myhosting.com as an identity and i can send an email as if im one of the employees of myhosting.com. This is possibly an issue between xy@clientsite.com and yx@otherclientsite.com too.

Things i've tried:
I can edit the roundcube configuration of the main roundcube instance (webmail.myhosting.com), so i can set: $config['identities_level'] = 3;. This way no one can create new identities in the main roundcube instance. I can still create abusive identities after i log in at mail.clientsite.com as i don't know how to edit those configs.

Roundcube configuration may still not be enough. I have experience with docker mailserver, and it has a SPOOF_PROTECTION setting that tackles the problem on a deeper level. Maybe enhance should have a similar setting too.

mendozal

lxix What if you su - roundcubelocal in the email servers themselves. There you can find the client's roundube instance.

slimx

Following. +1

ivansalloum

I experienced the same.

josedieguez

COLBYLICIOUS

+1, this is a must

Rich

Nice find! Thank you +1

DracoBlue

lxix

mendozal

Thanks for the tip! I'll try it.

Update: this did the trick, thanks!

ivansalloum

lxix Could you please share the solution?

Shaijee

lxix

ivansalloum

Yup, but as i mentioned in the original post, this is just a band aid solution. The problem needs to be addressed on a deeper level and maybe the roadmapped "Enhanced outbound email spam prevention and detection." feature will solve this completely, not sure.

Anyway, this is what i came up with for now:

I've modified the main roundcube instance configuration by navigating to Websites/(WML)webmail.myhosting.com/Files on the control panel, then i opened public_html/config/config.inc.php for edit and pasted $config['identities_level'] = 3; on the last line (You can use 0-4 values, see default config).
For the client instances, i've SSH'd into my server with the root user (only one at the moment, but i guess you want to do it on every server you have email/application role installed on), then i executed the su - roundcubelocal command (suggested by @mendozal). As the roundcubelocal user, i've opened the same config file with nano (nano public_html/config/config.inc.php), pasted the same config on the last line and saved (ctrl+x if you use nano).
I check my mail logs regularly to spot any abuse.

Adam

This is definitely possible in Postfix. From version 11.0.0 you will be able to customise postfix configuration.

slimx

So how do we do this cluster wide? anyone have a solution yet or ?