These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for reject_sender_login_mismatch on the new forum.
Web Hosting and Cloud Computing Control Panels
Howdy,
There is an install script for Roundcube apparently. I would assume that Virtualmin would install only in one virtual server (with redirect maybe).
Yup, there's a Roundcube install script. You could opt to install that any way you like; either in one domain and have it redirect, or you could install a copy in each domain.
Personally, I prefer installing it once and redirecting.
Does Virtualmin also provide a module to manage roundcube for multiple domains, e.g. using roundcube options like include_host_config?
Nope! Once it's installed, you have to manage it :-) Virtualmin only helps you in getting it initially installed.
And how could I prevent users from spoofing email adress (with domains other than their own domain)
Well, email is fairly insecure that way, unfortunately. Just like any desktop user could put anything they want into the "from" field of Outlook or Thunderbird, so could web users.
RoundCube does offer some configuration options to limit that though. You may want to take a peek at the "identities_level" option, for example.
But, just remember that a user who really wants to send email from a domain they don't own could certainly find a way around that
-Eric
Roundcube does get installed under one domain only, that's right, just like all the Pro scripts. Which is not really a problem though, since users log in with their email account on Roundcube anyway, no matter under which domain it is running. :)
You might instruct Virtualmin via Template to use your Roundcube URL as alias for "webmail.domain.tld" when setting up mail for new domains. Or manually create redirects.
As for "spoofing": You mean how you can force users to only send mail from their assigned address, and not from anything they like? Off the bat I'm not sure if Postfix has an option for that, but it might. Will check that out. Anyway, after SMTP AUTHing, it is customary to indeed allow the users to use any sender address they like - would there be a specific reason why you'd want to forbid that? If it comes to tracking down abuse, there's much better info in your logs than the From address the user used. :)
Thanks for the quick responses.
I think with roundcube you can setup "virtual domain" specific config files, where you can also set the default identities etc. Default identities would be probably all the aliases of a user etc. Of course you can maintain all this manually, but I thought that would be a typical task for virtualmin.
Regarding tracking abuse in the log. This assumes, that you get notified :-) When it happens, it is probably already too late and your domain is blacklisted :-) So prevention is probably better. I think I have to do some more research in postfix forums etc
If spam is sent from your server, it will possibly get blacklisted, no matter what From address the abuser used. Conversely, if a spammer somewhere else sends out mail with your domain in the From, you have no control over that anyway.
So I don't really see that as a reason to forbid authenticated users to have anything they like in From. :)
The From address in an email is just as "secure" as the sender address on a physical letter. Server administrators know that too and never rely on From information for decisions what is abuse and who's responsible for it.
You convinced me :-)
Just wanted to share the result of my research / solution. To ensure that users can only send emails with "from addresses" "assigned to them" you just have to add the following to main.cf:
smtpd_sender_restrictions = reject_sender_login_mismatch
smtpd_sender_login_maps = hash:/etc/postfix/virtual
Works nice with the virtual_user plugin for roundcube.
No need to restrict identities in roundcube or to have an extra virtualmin module.
keywords: postfix, spoof, email, sender, login, imap, reject, prevent