Dovecot / SOGo - Sending as a Different Sender / Delegation

yummiweb · July 19, 2025, 10:12am

Dear Community,

Today I discovered an unexpected behavior (that’s probably how Apple would describe it) of the mail server or SOGo on Netserver 8.

Mail.app Version 1.6.3 and 1.6.4
SOGo Version 5.12.1

The goal was to allow certain users (from SOGo) to send emails with email sender addresses that aren’t actually their own (e.g., for consistent external communication).

So far, I had only tested this for myself, or rather, used it when I wanted to send from one of my alias addresses (no dedicated mailboxes). For this purpose, I created a “new identity” with this address in SOGo and was able to send from this address accordingly. “Delegation” wasn’t necessary, or rather, it wasn’t possible, because the alias address didn’t have its own account and was assigned to me anyway. So, it worked as expected.

Now, others should be able to send from addresses on other accounts. To do this, I set up a “delegation” in the mailbox of the delegating mailbox via SOGo – initially for the group of users who were to be “delegated.” The first user then created a “new identity” accordingly (entries correct) and attempted to send. SOGo immediately issued an error message like this:
5.7.1 we@domain.tld: Sender address rejected: not owned by user test.user - mail@otherdomain.tld

This only partially surprised me, as delegation to groups might not even be implemented. So I removed the group delegation and delegated the user instead. This user was immediately offered to me as I typed it in (I don’t know how it worked with the group). I noticed that this was the “more correct” approach because the SOGO account of the “delegate” didn’t require a “new identity”; instead, the desired sender name could be selected directly. But sending didn’t work here either, with the same error message.

I then updated mail.app from 1.6.3 to 1.6.4, but that didn’t change anything. The offered core update didn’t change anything either.

In mail.app under “Settings > Mail Relay,” the option “Force Sender/Login Match” is, of course, enabled – we don’t want everyone to be able to send as they please.

Until now, I was under the impression that the “delegate” function allowed me to send as someone else despite the option being set? Or does “delegate” only serve to automatically set the desired identities?

What requirements must be met for Person A to be able to send using Person B’s address?

Regards, Yummiweb

mrmarkuz · July 20, 2025, 8:30am

This setting needs to be disabled to make the delegations in SOGo work as it doesn’t allow the logged in user to send from another mail address in the postfix SMTP server. If you setup a delegation in SOGo, postfix doesn’t know about it and still blocks the delegated mail address.

Maybe you want to open another Feature request to be able to set “send as” in postfix to allow specific users/groups to send from another mail address but still respect the enabled “Force Sender/Login Match” to not allow any known mail address.

yummiweb · July 20, 2025, 6:22pm

Thank you for your answer. This makes things a lot clearer for me.

It would, of course, be very practical if such an assignment (sending permission) could be defined via the NS8 GUI.

The sender address and the delegated address would both be in mail format and could therefore, in principle, be easily entered into a special Postfix configuration (/etc/postfix/sender_access).

# Format: sender-email permitted-user(s)
sender-yxz@domain.tld john.doe@domain.tld

It would be more difficult to determine at which level, for example, the sender address is determined – because there are several levels: the user’s (email is a login name or a specific address), an email alias, a public mailbox, or a group address.

The same applies to the target of the delegation, i.e., how the delegated users are defined. This could be individual users or, more conveniently, all users in a group.

Therefore, it seems to me that a corresponding function would be best placed under a special “Mail Delegation” section.

For most people, it might be sufficient to simply add the delegate to the group of those who also receive emails to this address. But this doesn’t always have to be the same.

For my purposes, it would almost be sufficient if I entered such an exception in a special Postfix config (/etc/postfix/sender_access):

# Format: sender-email permitted-ad-or-ldap-group(s)
sender-yxz@domain.tld ad-group-abc

But generating these entries or the previously required Postfix LDAP query to determine the group members is too complex for me. NS8 probably uses special paths, methods, or something similar that I’m not familiar with.

Regards, Yummiweb