Unix Users without @domain.tld ending can log send mails from all domains running on Virtualmin

Hello,
I noticed that all Unix users who do not have a username in the format “username” instead of “username@domain.tld” and server owners of a domain in virtualmin do not have the “@domain.tld” ending can send emails from all domains that have mails allowed.

for example:
I have the domains webmin.tld and cloudmin.tld in virtualmin server and they both have mails enabled.
then the server owner of webmin.tld who automatically has “webmin” as their Unix username can log in to cloudmin.tld with the username “webmin” and send mails from webmin@cloudmin.tld

How to avoid this?

SYSTEM INFORMATION
OS type and version Debian 11
Virtualmin version 7.20.2

My guess is you will have to do it on an individual user basis. Lots of ‘Unix’ was dreamed up when ease of access was considered a “good thing™”.

I don’t know if this is still valid but it may be a start. The link is old but that’s as far as I’m going at the moment. Good luck. :smiley:
www.cyberciti.biz/faq/howto-blacklist-reject-sender-email-address/

Thank you. But I host servers for clients and this manual approach is not a good solution there

How is webmin user sending and email from cloudmin.tld

You can login via anydomainonmyserver.com10000

Have you verified this behaviour with a remote email addres

I can not reproduce this how are you achieving this, we need some more information please

I think this is security issue, I cannot do this with cPanel that I know of.

The user still needs to authenticate to send a email, so not sure how its a issue.

I would like clarification on how this issue works or if it is not as explained.

How does virtualmin send emails apart from it’s system emails which sends as webmin@domain.tld, there is no in built email client but I have used usermin to send mail as a non suffexed user which it appended the correct domain suffex to the user. Any other email client will not allow a non suffexed user name, so again how are you doing it

webmin has root access, doesn’t everybody know this?

webmin will send email to users related to task it performs for that user, such as cron jobs.
What ever else webmin needs to notify you about.

You can actually change the behavior by telling webmin to use a users account such as admins account to send out email in webmins settings.

If this isn’t what you believe is happening than you need to provide us with some logs showing that another user is capable of doing this.
Don’t use “webmin” as an example because webmin has root access to send out emails to other accounts on the server.

Well I do but you are correct don’t use webmin as an example for the reasons described, so far no evidence of anything out of order, but who knows what this thread is about ? Is it about webmin sending email or user sending emails

I see that there are some misunderstandings with my explanation. Let me explain it differently.
The following scenario:

I create two virtual servers with the names “shoeshop.tld” and “webhosting.tld”.
When creating both servers, a Unix user is automatically created which has login rights for email, ssh, ftp, webmin and mysql, so we have the Unix users “shoeshop” and “webhosting”.
If I now want to log in to the server shoeshop.tld using a webmail client such as roundcube, I can log in with webhosting@shoeshop.tld and send emails from there.

All additional accounts such as mail accounts that are created via the “Edit Users” page automatically get the name: “username@relateddomain.tld” and cannot then log in to other domains.

its about users can send emails from other domains which they should not be allowd to.

the username webmin is here used in context of the administrator of the domain webmin.tld, not anymore, which gets automaticly created when creating the virtual server

Sounds like a bug in your email client, try sending a mail from the usermin email client does that behave the same ?

@jimr1 but if you use a diffrent emial client like roundcube and set the target server to domain.tld you can login with almost any unix user that have no suffix even with that ones that belongs the admin accoutns of other virtual servers

Tried with thunderbird that errored out tried outlook that errored out usermin added the correct suffix, but tbf I don’t use roundcube

Ok, now were getting somewhere. When you send out an email what does postfix logs show as the domain sending the email?

In my test, yes, I can log into another users domain as you described. That part can be reproduced even in usermin.
But when sending out an email it uses the first users domain credentials and not the domain you logged into. My postfix logs show that the unix user is sending out email with their username and their domain. Not the users domain I logged into.

Yes, I repeated it…

no usermin handles this correctly but with any other mail client this is not the case

from=webhosting@shoeshop.tld, size=586, nrcpt=1 (queue active)
that says portfix
and on the recipient emial client also from webhosting@shoeshop.tld is showed as the sender