Users can send emails with custom "From" field of other user

Hi, it seems like my users are able to send emails with a customized “From” field of other users. This emails are still filtered as valid by other email servers.

Example:

Domain: example.org

Bob has “bob@example[dot]org”
John has “john@example[dot]org” but in his email client he changes the “From” field in roundcube by creating a new identity or in thunderbird by creating a custom one to be “bob@example[dot]org”.
Whenever John sends a new email with this alias the server still validates his credentials even if he is using Bob’s email. And the incoming server marks as valid the “spoofed” email.

Don’t know if this is intended behavior or if I’m missing something. Is there a way to further validate this or disable custom From address in the cPanel options?

Heya,

I agree with you that this is not ideal, and I would rather not allow it. But, because cPanel does not offer address aliases people are currently using this to send from multiple addresses with a single account.

For the future of MXroute we are looking into https://wildduck.email/, which does support multiple addresses per account. It also supports rewriting the from header to an allowed value, solving this issue completely.

For now this is going to have to remain I’m afraid.

I would like to add that while it is allowed, if users are abusing this for malicious purposes it will be caught and dealt with harshly. If abuse becomes rampant it will be disabled entirely. As it stands, this is normal workflow for a lot of users who use it in a manner that is not malicious or troublesome.