Issue Sending emails from other email addresses

[Toxiro]

Hello,

I realized today that I can easily setup an email account in my email client with ANY email address and use my Plesk SMTP account credentials for it.

That means:

1. A person from one company (domain) on my server can send emails in the name of another person from the same or even another company (domain) on my server.
2. A person on my server can send an email from ANY email address (e.g. Gmail, Microsoft) to any other person on my server.

Is there any way to restrict people to send emails from other email addresses than their own?

 

[Bitpalast]

Actually, any person on the Internet can send emails in your name. It's just the way that email was created back in the early days of the Internet. You cannot really restrict that.

You can use DKIM and SPF and their combination DMARC to enable recipients to determine whether the sending domain is actually authorized to send emails, but that still allows other users of the same domain to mimic your mail address when they can send mails through the same SMTP server.

 

[Toxiro]

The fact, that the protocol does not support it, does not mean, it is not possible. I think every major email provider does exactly this and it seems it is also possible with Postfix: Postfix: prevent users from changing the real e-mail address

The problem is, that I do not want to manually maintain this, this should be done by the people who manage their domain in Plesk. So Plesk should support it and I guess from your answer that it does not at the moment.

I think this is a major security issue in a world were identity fraud and phishing is an everyday issue. Just think about what you can do when you are able to send emails within the company in the name of the CEO.

 

[Kaspar]

This approach only prevents the email users from your own server to use a different email address. Wouldn't it? Like @Peter Debik mentions the rest of the internet could still easily spoof your email address. DKIM and SPF together with DMARC are the only effective methodes combat this.

Don't get me wrong, I am in favor of having more options in Plesk to restrict email abuse. The solution described in the Stack Overflow post is certainly an interesting one. However in the grand scheme of things it does little prevent email abuse.

 

[Toxiro]

DKIM and SPF together with DMARC are the only effective methodes combat this.

Alright, then I can solve the problem with the rest of the internet, but how can I stop an internal user to e.g. send an approval to pay a bill in the name of the CEO? This was not possible in any company I worked so far (I hope). As far as I know most attacks come from inside the company and the biggest threat is phishing and social engineering. Please correct me if this can already be done with DKIM etc., my understanding was that it only secures the domain, but not single email addresses.

Anyway I have misunderstood the Stack Overflow post, it seems Postfix can be configured globally and must not be maintained for every email address so this can (hopefully easily) be done without Plesk.

Still, I think it would be a good feature, if this could be activated by Plesk or deactivated e.g. for system emails. Is security not a good selling point at the moment?