The "From" textbox field from "Compose Email" is editable by default and this could be a potential bug as any users can change the "From" text field and send the fake emails. Usermin also doesn't authenticate it before sending emails.
The issue is that Usermin doesn't restrict to just mail aliases but one can enter anything in the "From" textbox no matter if the email account exists or if it's email alias with the same mailbox.
For ex: One can type "does-not-exists@domain.com" or "anything@example.com" and it does send the email. This is something I would like to stop so that the shared hosting user should not be able to send emails on behalf of other users email id.
Screenshot:
Here is a screencast: https://www.useloom.com/share/4a63da0c79f24897b8eef3526a8e18e4
How do we make this field read-only? Or dropdown for email alias? Or even hidden if possible?
Comments
Submitted by JamieCameron on Tue, 02/06/2018 - 18:40 Comment #1
You can prevent the user from editing the
Fromaddress by editing/etc/usermin/mailbox/configand changing theedit_from=1line toedit_from=0Submitted by JamieCameron on Tue, 02/06/2018 - 18:55 Comment #2
In the next release of the Virtualmin installer, this will happen automatically.
Submitted by pragma on Wed, 02/07/2018 - 03:42 Comment #3
Thanks, JamieCameron.
Submitted by IssueBot on Tue, 03/06/2018 - 08:42 Comment #4
Automatically closed - issue fixed for 2 weeks with no activity.