Send mail for alias addresses

[Infern1]

I recently updated Haraka and found that sending mail for alias isn't working anymore.

Say I login to roundcube via user@email.com and I send a mail for alias@differentdomain.com it is not working anymore

([7E4999FB-B6E@haraka] Envelope domain 'differentdomain.com' doesn't match AUTH domain 'email.com').

So with some research I found that this is a result of: https://github.com/haraka/Haraka/pull/3265

So I added constrain_sender=false and it is working again.

I understand the function, however can we however make the check not so restrictive?

[msimerson]

worksAsDesigned

The "still works" way to send mail from user@differentdomain is to log into roundcube with a username within differentdomain.

I have witnessed (and cleaned up) systems that end up with millions of emails injected into their queues within hours of an email account getting brute forced. There is off-the-shelf software that takes advantage of this weakness in most SMTP servers and then injects spam from many not-local domains into the queue (aka: Joe job attack). That gets your mail server instantly black listed for provable impersonation. This prevents that consequence.

In so doing, this change greatly reduces the collateral damage inflicted on mail systems when an email account is brute-forced. Most attempted spam injections are rejected before being queued.

Perhaps an option that added an option like constrain_sender=local would do what you want?

[Infern1]

Yes I 100% agree that it is a good addition and work as intented

However I cannot login in Roundcube with user@differentdomain since this is just an redirect in vpopmail. Since mail send to: user@differentdomain ends up in my main mailbox: user@email

So the option constrain_sender=local would be a good function