Any Identity can be taken

[marneu]

RainLoop version, Nextcloud 7.1.0, LNX

Expected behavior and actual behavior:

Expected: A user can use only agreed/confirmed identities.

Actual: Any user can set any identity without information/verification.

Steps to reproduce the problem: Enter donald.j.trump@whitehouse.gov in identities and use this as standard (PLEASE DO NOT REPRODUCE and use any own)

A well configured server would not accept this address and reject the usage. Of course the receiving mail server would/should reject a mail like this, due to dmarc, dkim, spf - in a ideal world, but we live in a chaos world and different server admins have different skills.

To avoid this situation two ways could be used:

1. A Email is sent to the newly used identity stating that it is used by the standard identity. This solution has the drawback, if a victim receives such a mail, he can't do anythings against such fraudulent usage.
2. The better way would be to generate a backlink (f.e. md5) sent this to the new identity and the receiver needs to agree in (using that identity) in clicking on the link. Informational text should state that this link should only be clicked if the user it the same as the requester and agrees herewith in using this identity. The new identity should remain inactive as long as this process is not completed.

[the-djmaze]

You can even let the code check spf/mx records for the domain and screw up.

For example you use RainLoop with a gmail account. You could have millions of @gmail identities. That's why gmail checks the FROM.

Office365 doesn't and it's up to the administrator to restrict it themselves. Yes, i know, because i showed a company that uses Office365 how easy it is to abuse their mail environment.

But i prefer SPF/DKIM/DMARC checks to know if the webmail is allowed.

[marneu]

@the-djmaze: I think you are right and should use SPF etc. but we should not invite to misuse systems. Thus, it is a security issue in my eyes.

[the-djmaze]

@marneu yes you can see it as security issue. But did you know websites like WordPress, Joomla, etc. have the same issue? And if someone hacks a website, he can do the same in a much worse sense.

To avoid this issue the Identity should be "From" And the "Sender" should be the login account. But as you said, the world is chaos! Certain applications show the Sender and not the From :(

Based on so many "security" issues i think RainLoop is not the place to solve this. Better to blacklist bad administrators.

A valid example to use identites:

• login with server account "username" / "username@server.example.com"
• username owns domain "my.tld"
• identity send as "contact@my.tld"

SPF check: server.example.com and my.tld have a matching IP Better: SMTP server should check if username may send as "contact@my.tld"

However, RainLoop could atleast have security test pages in admin for domains so that administrators can test their skills BEFORE they enable the identities feature.

[marneu]

Even if the admin page would accept only domains: Given scenario: user a@dom.local and user b@dom.local b@dom.local could easily add identity a@dom.local, send a mail using this identity and delete the id afterwards.

We - the heros - WOULD read the header, but a normal user complains that he/she has received a mail from a@dom.local This is not theory - this is what happend at an known organisation and some people where angry on user a@dom.local user a@ had to find out how this could happen and needed to involve at lot of people.

Year ago we had that problem at roundcube (I did some programing at the plugins) and it could be stopped by using method 2.

I think the best argument is "We should not invite to misuse".

[the-djmaze]

If the system administrator is incapable/lacks experience to secure a@dom.local, then just disable the feature: Admin => General => Main => "Allow multiple identities"

Then you can only send as a@dom.local when you have the credentials.

Same as:

• you grab the keys of a car
• you get a fine for fast driving
• you put back the key
• management blames your colleague
• colleague has to explain (s)he wasn't driving

[marneu]

I'm not shure whether you got the point, I use around 700 identities for myself and some webpages (and I really own these). Thus said - Not an option, rather I choose an other client which helps me administrate the right way.

[the-djmaze]

I also use many identities. I've configured my SMTP servers in a way that "Account A" is allowed to send e-mails of domains A, B, C But if i create an identity for domain D i can't send e-mails because i'm not allowed.

This is also done on local areas:

• employee A has own account and may send in behalf of info@
• employee B has own account and may send in behalf of info@ and helpdesk@ This is all managed because of a support ticket system

There are so many ways you can abuse e-mail outside RainLoop. I could even send e-mails as a@dom.local and the company will have no clue how that is possible.

For example: install Thunderbird or KMail There you can also add identities and do exactly the same as what you describe. How would you "protect" those programs?

Read here how you can even fake a@dom.local in Outlook :imp: https://www.howtogeek.com/689267/how-to-send-an-email-with-a-different-from-address-in-outlook/

So even if RainLoop adds "security" for this, it's useless.

[marneu]

I understand your opinion and your imagination. Are you an active developer within this project?

[the-djmaze]

Are you an active developer within this project?

I've tried but approval of my PR's is slow. So i've forked the project to my needs. And when i have time i put back new PR to this project.

If you still need identities security, you could write a plugin, just like you did for roundcube.

[marneu]

Ah, I see - so I'm going to install roundcube again. Unfortunatly there is no real integration in nextcloud yet.

[the-djmaze]

Unfortunatly there is no real integration in nextcloud yet.

Just use the default nextcloud mail app then?

[marneu]

Does not function either (no identities) and less comfort.