I am sorry but you are correct with that and I’m afraid I still am at a loss.
I use RoundCube a lot and have been for quite a while and I cannot seem to reproduce this … yet.
You are using the latest version of RoundCube ? (1.6.8)
I don’t have roundcube so I can’t reproduce this with that app.
I think the problem is postfix allowing the Unix user to use another domain name other than the one that given at the time of creating that user.
This is a problem though
I use the latest version of roundcube. so what you have to do to replicate:
create a virtual server or use a existing one that has mail activated and configured like mydomain.tld
create a second webserver. there you can deactivate all features if you want. we just need the admin unix user.
than create install roundcube on a virtual server and set the target servers in the config to the domain you want to send mail from like mydomain.tld then login in by type in the login creatential for the admn account of the seocnd virtual server
your may be right yeah but then, why does virtualmin not configure postifix and dovecot in way to prevent this.
I believe Virtualmin/Webmin is only a GUI to view all your config files and allow to change them on the fly without having to do everything in CLI. from my understanding you and I are responsible for hardening our box.
There is a setting you can add to postfix to keep users in their own realm, but I can’t think of it off the top of my head right now.
do you have an solution, like one that automatcly blocks users in postfix and dovecot to login without a domain suffix
Try this setting in postfix “main.cf” by adding “reject_sender_login_mismatch”
smtpd_sender_restrictions = reject_non_fqdn_sender reject_sender_login_mismatch reject_unknown_sender_domain
Don’t forget to backup the main.cf file before doing this.
can I also make an exception for certain master admin accounts that are allowd to log into everything?
your config now blocks sending emails from every adress: Sender address rejected: not owned by user
What part of “Try This” you don’t understand? Obviously it’s not accepting the format of your usernames. Just remove the entry and all should be back to original config.