Virtualmin 6 - Usermin : "From" field from "Compose Email" should not be editable

The “From” textbox field from “Compose Email” is editable by default and this could be a potential bug as any users can change the “From” text field and send the fake emails. Usermin also doesn’t authenticate it and send the emails.

How do we make this field read-only? Or even hidden if possible?


Here is a screencast:

This is ok so you can use mail aliases instead of the main email. About sending fake emails - if the receiving server is properly configured this emails will fail and your IP will pretty soon end in every major blacklist. Once there good luck sending any type of email (fake or not) as all/most of them will be rejected.

But i agree with one thing, they should make this option as drop down menu containing main email and all aliases connected with that account. Not to prevent fake emails but because of quick switch between different emails without the need to type each time entire email address (what i find extremely stupid as solution and pure waste of time + its prone to misspelling).

hi @Diabolico,

Thanks for your reply.

This is ok so you can use mail aliases instead of the main email

The issue is that Usermin doesn’t restrict to just mail aliases but one can enter anything in the “From” textbox no matter if the email account exists or if it’s aliase with the same mailbox.

For ex:
One can type “” or “” and it does send the email.
This is something I would like to stop so that the shared hosting user should not be able to send emails on behalf of other users email id.

The issue is that Usermin doesn’t restrict

This isnt Usermin job but Postfix (and other internal/external service/software) so first you must check Postfix conf file and see what you have there. Even if you change Usermin this will not stop your client to install some other software and abuse the server. This is why almost every hosting company have SpamExperts or something similar to prevent not only incoming spam but outgoing too. Failing to properly secure your server will put your IP (and possible domain) to every blacklist on the web. The tricky part is when you end in Google (Gmail) blacklist as there isnt any way to appeal or remove yourself. When it comes to Google your ban could last for months and some people reported even more than a year. So everything comes down how much money you have/want to invest and how big risk you want to take.