I have just tested what happens if I configure an arbitrary From-Address in a mail client and try to send the mail as authenticated user via NS8 Mail. Surprisingly, it works, which allows a user to fake E-Mails from another user on the same NS8 instance, just by changing the From address in the Mail client (e.g., this is possible in SOGo webmail by creating another identity).
It is even possible to send with a from address from a completely different domain that is not part of the NS8 Mail configuration at all.
Is there a setting to disable this behavior and allow a user to send mail only from addresses that would deliver to his personal inbox, or to valid shared inboxes?
Almost: there is one exception. Since the recipient delimiter is set in postfix, the user test@example.com receives also mails for test+sometext@example.com.
However, sending from test+sometext@example.com is blocked using the setting above. It should however be possible for the user test@example.com, because he owns that mail address.
