Prevent users from forging smtp

Discussion in 'ISPConfig 3 Priority Support' started by felan, Apr 21, 2020.

  1. felan

    felan Member HowtoForge Supporter

    Good morning.
    I have an interesting case senario, I'd like to get your input on.
    We have two customers, one owns domain1.tdl and the other owns domain2.tdl
    Now the owner of domain2.tdl feels like messing with the owner of domain1.tdl and uses his credentials to send mails from [email protected] from his [email protected] account.
    How can we prevent that? Any thoughts?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Enable the checkbox "Reject sender and login mismatch" under System > Server config > mail.
     
  3. felan

    felan Member HowtoForge Supporter

    Thanks :D
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    And besides that, you have the address details of both clients, identity theft is forbidden in most countries, tell him that you will report him to the authorities and he will never do it again unless he wants to go to court ;)
     
  5. felan

    felan Member HowtoForge Supporter

    Oh the case is already with the police. Just a nusens to deal with :p
     
  6. elmacus

    elmacus Active Member HowtoForge Supporter

    Should that be standard on all servers, or just when you "have problem" ?
    Could it be problem to enable that if Wordpress sends email from: [email protected] and login as [email protected] ? Does it check whole emailadress or just the domain name ?
     
    Last edited: Apr 21, 2020
  7. felan

    felan Member HowtoForge Supporter

    It's not enabled on a fresh install. I'd say it should be enabled as standard.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    It checks the email address, so the emails in your example will get rejected.

    The problem is that if we enable it automatically, mails will fail in many scenarios as the one @elmacus mentioned. or users which use aliases in their mail client might get problems as well.
     
  9. elmacus

    elmacus Active Member HowtoForge Supporter

    Thanks @till , that was what i suspected. So we cant activate this on any server. Alot of websites must be checked beforehand.
    On a new server we could have it on from start.

    Is it possible to only check this for the domain in future ? Should i then report it in feature request ?
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Sure, might be good to use a stricter setting by default. The drawback will just be more support request here though with users that report 'a bug' when they can't send emails with a wrong address :)
     

Share This Page