Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow catch-all and tagged e-mail addresses as From addresses in SOGo #5836

Open
Crazyphil opened this issue Apr 9, 2024 · 5 comments
Open

Allow catch-all and tagged e-mail addresses as From addresses in SOGo #5836

Crazyphil opened this issue Apr 9, 2024 · 5 comments
Labels
enhancement upstream

Comments

@Crazyphil
Copy link

Summary

SOGo allows editing the From mail address in the header when composing a new mail. Some validation in the background then checks whether the address belongs to an allowed or delegated identity and disallows sending if not. Unfortunately, this validation doesn't take into account tagged addresses (like [email protected]) as well as catch-all addresses (like *@catchall.example.com being forwarded to [email protected]).

In the mailbox settings in Mailcow, there is an option "Disable sender check for domain" that sounds like it should configure this behavior, but it doesn't. While with any standard SMTP client you can freely choose the sender address from your selection of aliases, this is not possible within SOGo. Some mechanism, potentially this security setting in the mailbox settings, should instruct SOGo to allow these addresses as sender.

Motivation

My use case is this: for my mail domain example.com, I’ve created a catch-all domain catchall.example.com where every mail to any address is forwarded to [email protected]. Now, whenever I have to register on a website, I can just make up any address and create an account for it. This way, should user data be leaked in the future from this particular website, I can uniquely trace its origins, because the alias tells me which service was responsible for the leak.

Temporary addresses don’t really fit this use case, because

  • they have to exist before the address is used, so I would have to access the management UI every time I want to create a new account (and accounts are everywhere today!)
  • they have an expiration date by default, but I don’t want the addresses to time out because it still is associated to an account (I know that the expiration date can be changed, but this again requires additional configuration)
  • they are random, and whenever a temporary alias (accidentially) timed out I would never again be able to access the account in cases where mailbox access is required

Address tags also don’t fit my use case (apart from suffering the same problem), because

  • nowadays, every spammer knows about them and just assumes that anything before the + is the actual address, and simple removes the tag before selling your personal data
  • the + is an unusual character for mail addresses, and websites with bad validation don’t accept them (I’ve encountered this situation multiple times, which is the reason I switched to a catch-all domain)
  • the address gets rather long an clumsy to type on a mobile device

Additional context

This feature request stems from a discussion in the mailcow community.
@dragoangel
Copy link
Collaborator

dragoangel commented Apr 10, 2024
edited
Loading

You have allow send as *@domain.com. Nobody will be automatically allow send as anybody from domain because of catchall, it not desired in 99% cases. There is dedicated setting and they available in mailcow.

@dragoangel dragoangel closed this as not planned Won't fix, can't repro, duplicate, stale Apr 10, 2024
@Crazyphil
Copy link
Author

Crazyphil commented Apr 11, 2024
edited
Loading

I'm not sure wheter I understand your objection correctly, but what you describe is exactly what doesn't work: even when I check "Disable sender check for domain example.com" in the mailbox settings, SOGo still doesn't allow arbitrary sender addresses from catch-all (sub)domains.

Do you have a description of what I should have to configure where for that to work?

@saibotma
Copy link

saibotma commented May 1, 2024

Having the same problem. I think this issue should be reopened.

@FlohEinstein
Copy link

I'm having the exact same problem as @Crazyphil and I don't think @dragoangel understood the problem and the use case. Maybe there was something lost in translation?
I share @saibotma 's opinion, please reopen and address the issue

@dragoangel dragoangel reopened this Jun 15, 2024
@dragoangel
Copy link
Collaborator

dragoangel commented Jun 15, 2024
edited
Loading

Okay, now I get what is issue is about. Tagged aliases not for sending, only for receiving. I closed the issue because I assume this is the limitations of sogo, and they allowing to select only users that are explicitly exists in database which means you can't write anything you want, in same way as you can't share a calendar with non existing users (but there option to share with anybody) or send event to alias... I think it will be just impossible to fix it in mailcow at this stage, and first request should be pointed to sogo. Desktop clients that allows you to adjust from header not aware about any users db so they not limiting you at all in what you can pun into from, but this not the case with sogo.

If you have evidence that this not limitations of sogo, please share them :)

And PRs are always welcome

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement upstream
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dragoangel @Crazyphil @FlohEinstein @saibotma