Hello,
I'm currently exploring Plesk's mail capabilities. I searched for an option to add a "sender address" to individual email accounts of a domain, but couldn't find any.
To my surprise, I was able to add a sender address of an existing mail account on the same domain in Outlook, using the original account's login, and send emails "from" that address.
Is there any way to prohibit users from sending through other mail addresses on the same domain?
Steps to reproduce:
On a domain (example.com), add 2 mail accounts: boss@ and apprentice@
Configure apprentice@ account in Outlook (new Profile)
Write an email, select "additional email address" in the "From" dropdown of Outlook
enter [email protected] in "From" field, leave [email protected] as "Send with", hit OK
Send Email to a third account
The third account will receive a mail from [email protected], even though there aren't any credentials configured for [email protected]. /var/log/mail.log shows the sasl_username used was apprentice@
To be precise the mail header From is set to [email protected], and the Sender header ist set to [email protected]. To an end user, it still looks like boss@ sent the mail, which is excellent for fraudsters. Gmail on Android just shows [email protected] as the sender, no mention of the configured Name or Address of apprentice@...
Can this be prevented? Either in Plesk, or in Postfix?
I'm currently exploring Plesk's mail capabilities. I searched for an option to add a "sender address" to individual email accounts of a domain, but couldn't find any.
To my surprise, I was able to add a sender address of an existing mail account on the same domain in Outlook, using the original account's login, and send emails "from" that address.
Is there any way to prohibit users from sending through other mail addresses on the same domain?
Steps to reproduce:
On a domain (example.com), add 2 mail accounts: boss@ and apprentice@
Configure apprentice@ account in Outlook (new Profile)
Write an email, select "additional email address" in the "From" dropdown of Outlook
enter [email protected] in "From" field, leave [email protected] as "Send with", hit OK
Send Email to a third account
The third account will receive a mail from [email protected], even though there aren't any credentials configured for [email protected]. /var/log/mail.log shows the sasl_username used was apprentice@
To be precise the mail header From is set to [email protected], and the Sender header ist set to [email protected]. To an end user, it still looks like boss@ sent the mail, which is excellent for fraudsters. Gmail on Android just shows [email protected] as the sender, no mention of the configured Name or Address of apprentice@...
Can this be prevented? Either in Plesk, or in Postfix?