identitys in webmailer // BUG about webmail-lite HOT 1 CLOSED

Hi,

I guess if you send the message with [email protected] as From, your mail server will reject it regardless if you send it from Outlook/Thunderbird or from our webmail. So, no problem with that. Your mail server does the check and no email with faked From ever goes through.

Anyway, a mail client can't determine if the address you specify for Identity is valid for this user or not. Only a mail server is capable of that. If you don't want to let your users type anything there, you'll need to disable identities.

Some methods to prove that a user has control of some mailbox do exist but they are pretty complex. The system asks you to send an email with some code from the address you want to use for identity to a special system address, then checks this system mailbox and if the code matches, this proves that you can send from that address. However, this technique assumes setting up some more complex infrastructure than just setting up a webmail client (and it's a good piece of functionality to develop, more than identities themselves).

Also, this technique only proves that the use can send from the email address in question but it does not help determine if this will actually work. For instance, you have an account [email protected] and also have [email protected]. If you add [email protected] as identity, you can prove to the system that [email protected] belongs to you (so that adding identity will succeed). However, when sending a mail from your mail server with [email protected] set as From, you'll get an error from your mail server because [email protected] is unknown sender for it. Unfortunately, there is no universal and simple solution for this. It's not an error in our code.

from webmail-lite.