Spam mail from external user

NethServer Version: 6.9
Module: webtop

Hello everyone, we are using nethserver as mail server, recently we had some spam issues due to hacked password from an external user.
The strange thing is that this external user was capable of sending mail from a fake domain not present in our nethserver. how is it possible? how can i disable my server sending mail from unknown domains?
(Obviously i changed the password of the hacked user and we have no more spam)


well… if you can authenticate yourself you can easily use any sending domain you want: AFAIK there’s no such a restriction

so you are telling me that if i know the password of a user, i can send mail from any other account? for example if a tecnician knows the password of his user account, then he can send mail from also the administration department or every other user account?

Nice catch … this should not be possible.

I edited my SOGo email settings like so:

The result after sending a mail to myself:

But what’s worse, is that I can, as is suggested above, enter ANY adres I like, including that of the CEO, and pretend I have send mail from there. If I edit my personal details to mach, there is no good way to see this was done.

This is a HUGE issue of you ask me.

This means I can in

the “issue” has nothing to do with SOGo, but just with how the smtp is configured

for example, I create often an account in my servers to be used as auth smtp smarthost for some customers…

I should not be able to impersonate another address on the same server.

maybe, but this is the way things are working now

1 Like


There’s a discussion opened here:


So, it might be that I have been too long in a Microsoft world, as this is indeed default behaviour on the few mailservers I tested this on just now.

It looks pretty WTF if you are not aware of this, and have been living in an Outlook-Exchange-world.

Can anybody school me on how they prevent JohnDoe@mydomain sending mail as if it was from or with links to malicious content? Is this just no concern to people ? Am I still missing something ?

well… exchange-outlook and email-server in the same sentence is an oxymoron :slight_smile:

…I know, I know … try to tell that story in userland :frowning:

I used to be able to …
On exchange I could just …

…stuff like that … they rather do not like to hear that exchange ignores standards in order to be able to provide those services, and therefore breaks compatibility with just about everything else.

1 Like

The only way to prevent things like this is implementing a check like @saitobenkei suggested above :point_up:

As long as it will also recognise aliases, I am all for that!

(Which he failed to make it work with webtop :smiley: )