Hi everyone!
I'm new to this list and the reason why I'm writing is because I found
out one thing I think is worrying enough to share it with you
I've got my Postfix configured with virtual users, integrated with
Dovecot. Everything's working fine, no (known) configuration issues. I
was mainly investigating on my Mozilla Thunderbird, concretely the
Identities option. I tried to add an 'identity' (with a fictional
login), just to try what would happen and surprisingly the mail was sent
out without any problem - using the configuration of the 'real' account:
Jun 6 21:23:35 mail postfix/smtpd[13009]: 3035F10000C:
client=unknown[192.168.0.10], sasl_method=PLAIN,
sasl_username=nico...@devels.es
Jun 6 21:23:35 mail postfix/cleanup[13017]: 3035F10000C:
message-id=<4fcfbc49.60...@devels.es>
Jun 6 21:23:35 mail postfix/qmgr[1766]: 3035F10000C:
from=<fictio...@devels.es>, size=651, nrcpt=1 (queue active)
Jun 6 21:23:35 mail postfix/smtpd[13009]: disconnect from
unknown[192.168.0.10]
Jun 6 21:23:37 mail postfix/pickup[12624]: 28C801012C0: uid=5002
from=<fictio...@devels.es>
Jun 6 21:23:37 mail postfix/cleanup[13017]: 28C801012C0:
message-id=<4fcfbc49.60...@devels.es>
Jun 6 21:23:37 mail postfix/pipe[13019]: 3035F10000C:
to=<nico...@devels.es>, relay=spamassassin, delay=2.1,
delays=0.25/0.05/0/1.8, dsn=2.0.0, status=sent (delivered via
spamassassin service)
Jun 6 21:23:37 mail postfix/qmgr[1766]: 3035F10000C: removed
My question is: How 'safe' is this? Is there any way to restrict
creating identities for users unless the administrator allows to do so?
I really would be worried if ANY user would create ANY identities and
use them the way he wants... Any ideas appreciated!
Thanks!
Nicolás