Mail spoofing

[EdwardRC]

Hello, I need your help guys.
All the replies that I got from providers are not acceptable for me.
Here's the thing.

Cpanel account, small company of 10 guys with a mail account for each one.
Each user only knows his mail's password.
So, as the hosting is configured, someone could send mails from another real mail account. How?
Quick and simple example: John only knows his user/pass and he did set the profile in Outlook.
Steve is mad with John and just created a profile in the mail client with john's mail, knowing only [email protected]. He left the password input in blank and he could be able to send a mail in John's names.
AFAIK, setup SPF is not helping here, cause it's not a matter of IPs. For some reason, the mail's account doesn't ask for SMTP authentication.
I hear about Exim as the unique option in Cpanel and postfix like a possible solution with other control panel.
The goal here is that each mail account which is set in any mail client without the right password, should be prompted to fill the mail's password.

Any idea how to do this?

Thanks in advance for your help/time.
Edward

 

[cPanelMichael]

So, as the hosting is configured, someone could send mails from another real mail account. How?
Quick and simple example: John only knows his user/pass and he did set the profile in Outlook.
Steve is mad with John and just created a profile in the mail client with john's mail, knowing only [email protected]. He left the password input in blank and he could be able to send a mail in John's names.
AFAIK, setup SPF is not helping here, cause it's not a matter of IPs. For some reason, the mail's account doesn't ask for SMTP authentication.

This scenario should not be possible with the default configuration of Exim on a cPanel server. While it's possible to spoof the "FROM" address, it's not possible to authenticate via SMTP without a password or without first logging in with that same account via POP3. Have you consulted with your web hosting provider in order to have them reproduce the issue?

Thank you.

 

[mtindor]

Steve could easily set the FROM address in his email client to [email protected] but continue to SMTP Authenticate using [email protected]. There is no way around that.

If a person has SMTP authentication credentials (i.e. an email account set up), they can send mail as anyone they want as long as they authenticate first. I could set up an email account on a mailserver called [email protected]. I could send email with the FROM address of [email protected] if I wanted to, by simply setting the FROM address to whatever I want and authenticating as [email protected]. Sure, some remote mail systems might detect that it is spoofed depending upon the domain I'm pretending to be from and how the remote mailserver is configured. But for the most part ,there is no way around this.

If you have a problem with Steve being mad at John and Steve faking emails as John, Steve oughta be canned. That's not acceptable practice, or shouldn't be.

M

 

[EdwardRC]

Thanks for the relpy.

..... it's not possible to authenticate via SMTP without a password or without first logging in with that same account via POP3......

That's exactly what I need.
Sounds more than logic to me. If you wanna send an email from an account, you should have to fill the password (if it isn't saved in the mail client). If you check via pop3 the account before send, ok, let it go but if you didn't, ask me for credentials.
The hosting (host.gat.or) said that cPanel and Exim can't prevent that cause postfix is not supported.
How could I be sure that the right settings are running on my hosting service?

Thanks

 

[EdwardRC]

Steve could easily set the FROM address in his email client to [email protected] but continue to SMTP Authenticate using [email protected]. There is no way around that.

If this is really true...I'm done
But I reproduce the issue on Outlook Express. I didn't have to fill user/pass with Steve information. I just complete the user with any real mail account (created in cPanel) leaving the password input in blank.
The mail was sent knowing only a real mail address.

If a person has SMTP authentication credentials (i.e. an email account set up), they can send mail as anyone they want as long as they authenticate first. I could set up an email account on a mailserver called [email protected]. I could send email with the FROM address of [email protected] if I wanted to, by simply setting the FROM address to whatever I want and authenticating as [email protected]. Sure, some remote mail systems might detect that it is spoofed depending upon the domain I'm pretending to be from and how the remote mailserver is configured. But for the most part ,there is no way around this.

I can't believe that there is not a solution for this simple security problem.

If you have a problem with Steve being mad at John and Steve faking emails as John, Steve oughta be canned. That's not acceptable practice, or shouldn't be.

Take that as simple example. Can you imagine any small company allowing people to send mails in the name of other guy? Spoofing is not a simple problem, I got it, but to ask for the right credentials of the sender address mail I guess is basic.

I'm not an expert on this matter, but why other mail system ask for a mandatory authentication before any receive/sending?

Thanks


M

 

[cPanelMichael]

You will need to consult with your web hosting provider if you were able to send emails from an account without entering a password. This indicates a custom configuration not native to cPanel. You are welcome to have them submit a support ticket to us to investigate the issue if they are not sure why that's happening.

Thank you.