Prevent spoofing of "From:" header on shared hosting

Rodrigo Gomes

• March 02, 2017 09:17

I noticed that I can send valid SPF and DKIM emails from another account if the domain is hosted on the same server. For example: Let's assume I have intel.com and amd.com on the same cpanel server. email@intel.com from user intel Can send a fake email like email@amd.com with valid SPF and DKIM I know there is the option: Rewrite From: header to match actual sender But I would like to allow my customers to be able to send email as other accounts, as long as the domain is registered in their cpanel account. In summary, how do I prevent customers from sending email as other customers?

• 

  Rodrigo Gomes

  • March 03, 2017 02:01

  I opened a ticket on this subject because I think one account could not send an email with DKIM from another account. If DKIM fails, it is possible to prevent abuses using DMARC. An internal case (CPANEL-11627) was opened by the support team.

  0
• 

  cPanelMichael

  • March 03, 2017 16:10

  Hello @Rodrigo Gomes, Thank you for updating this thread with the outcome of the support ticket. I'm monitoring CPANEL-11627 and will update this thread with more information on the status of this case as it becomes available. Thank you.

  0
• 

  cPanelMichael

  • March 08, 2017 20:15

  Hello, To update, this behavior was determined to be by-design. The proper method to address this concern is to enable the following option under the "Mail" tab in "WHM >> Exim Configuration Manager >> Basic Editor": EXPERIMENTAL: Rewrite From: header to match actual sender Per it's description: If you enabled this option, the From: header will be rewritten to be the email address of the actual message sender. If you choose the "remote" option, only messages that are being sent to remote destinations will be affected.

  I know there is the option: Rewrite From: header to match actual sender But I would like to allow my customers to be able to send email as other accounts, as long as the domain is registered in their cpanel account.

  
  I encourage you to open a feature request if you'd like to see additional functionality or preferences added to this option: Submit A Feature Request Thank you.

  0
• 

  Benjamin D.

  • October 24, 2017 17:37

  I exactly need what OP requested. Has anything been done to fulfill this functionality request yet?

  0
• 

  cPanelMichael

  • October 27, 2017 17:57

  Hi, I don't see that a feature request was opened. Feel free to open a feature request using the link referenced in my last response. Thank you.

  0
• 

  rinkleton

  • December 06, 2017 19:48

  Not sure if anyone has submitted a feature request for this yet, so I have: Restrict DKIM private key access to account It hasn't been approved yet

  0

Please sign in to leave a comment.