Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Send on Behalf of / Send as Another User Bug??
  •  
bfrawley

Messages: 55
Karma: 0
Send a private message to this user
I have a user who needs to send out a group of emails as another person in the company. Being a former exchange guy I figured I could just modify a setting or two to allow the user to send as the other person as in Exchange. I wasn't able to find the setting so I just up and tried it to see what errors I would get. To my suprise I didn't get any errors. After further testing I have found that anyone on that server can send as anyone else on the server. Is that the way Kerio works or do I have something missconfigured that is allowing it?
  •  
rigo

Messages: 118
Karma: -3
Send a private message to this user
^^^^^ BUMP ^^^^^

this is important, was wondering the same thing...? do I have something missconfigured that is allowing this to happen...?

thank you,



  •  
bfrawley

Messages: 55
Karma: 0
Send a private message to this user
The one thing that I haven't tested that could be causing it is that we have our local LAN black as a "trusted sender" on the mail server. This could be allowing it to relay messages to anyone from anyone without forcing authentication. I am planning on testing my theory sometime this week.
  •  
sgongola

Messages: 109
Karma: 0
Send a private message to this user
It is the way email works Sad

The email clients I've seen let you use anything you want as your FROM: address and REPLY TO: address. Kerio webmail is no different. This is what lets spam get through looking as if it came from someone else.

The one thing that can lead back to you when using a "normal" email client is the earliest "Received:" line which, unless forged, will point back to your personal windows box. The latest
"Received:" line which will tell you which machine connected to your own mail server. Any other headers can be faked.



  •  
bfrawley

Messages: 55
Karma: 0
Send a private message to this user
If that is they way email works Exchange wouldn't prevent users from sending as other users unless the specific permissions are set.

Like I said, I think the problem is having your local LAN block as a trusted sender which makes your mail server an open relay for your local LAN and therefore doesn't require the local sender (KOC, or Outlook if using POP3 or IMAP) to authenticate before sending.
  •  
bfrawley

Messages: 55
Karma: 0
Send a private message to this user
Well turns out my assumption was wrong. Even if your local LAN block is to added to the "Trusted Senders" list you can still send email as anyone to anyone if you authenticate.

I see this as a big security issue. Anyone in our company can up and send an email as our CEO or President or anyone they want to.

Does anyone have a way around this?
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
bfrawley wrote on Tue, 24 June 2008 15:20

...
Does anyone have a way around this?

Like said, there's no way around it because that's the way the email protocols are supposed to work. From the protocol point of view the from field is just some meaningless piece of text. Perhaps Exchange still checks it (even though protocol may allow any from field) and won't allow such messages, but in general anyone can just send email with every possible from field.

So if you find that to be a security issue, you'd better disconnect from the Internet Cool . Perhaps with Exchange your own employees cannot send messages with faked from headers (if the term 'fake' actually applies, cause strictly speaking it doesn't), the rest of the Internet still can.

(You can somewhat limit this by implementing CallerID, SPF and so on, but it won't help much, because those technologies never really caught on.)
  •  
bfrawley

Messages: 55
Karma: 0
Send a private message to this user
In exchange only the user for the acount can send as themself by default. If user A needs to send as User B you have to add "Send As" permission for user A in User B's mailbox.

If it can't be configured on a per user basis Kerio needs to remove that feature to make it harder to do.
  •  
sgongola

Messages: 109
Karma: 0
Send a private message to this user
bfrawley wrote on Tue, 24 June 2008 09:20

I see this as a big security issue. Anyone in our company can up and send an email as our CEO or President or anyone they want to.

Anyone outside your company can up and send an email as your CEO or President or anyone they want to.
You can have security measures to prevent this but there can be side effects.
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Quote:

Anyone outside your company can up and send an email as your CEO or President or anyone they want to.
You can have security measures to prevent this but there can be side effects.
Very true, and at least you can trace it back this way. The person who authenticated and sent the message is placed in a Sender: header field. Other e-mail apps do this, and some webmail (Gmail last time I looked). Technically, the From address is the author, the Sender is the person who actually sent the e-mail. That's why the mail is listed as sent on behalf of someuser<_a.t_>domain.com.

It's normal procedure for e-mail, it's the way it was designed to work. You can't just remove the feature. It's needed by many Kerio users here, and if it's removed it could potentially cause other problems because the system doesn't conform to the standards. In addition, if you do remove it, you end up with bigger security problems - people giving out their password so someone else can send mail for them. Now, not only do you have other people with access to the mail account, which is potentially their network account as well, but you lose any traceability you had before because the actual sender isn't recorded.

I happen to agree, it's a nice feature Exchange has to restrict this, but it's not the end of the world if it's not there... you know who actually sent the message. If you're that worried about it, use Group Policy to disable the From field in Outlook except for users you authorize.

Scott
  •  
sgongola

Messages: 109
Karma: 0
Send a private message to this user
You are referring to normal users who legitimately want to send an email using another account and have appropriate headers showing this. Yes, you and I and others can look at the header and see the sender data or look at the receive headers and see what is happening.

Most people don't. With mailers I've used, you put in your own name and from address or you can put in anything you want. With a couple of clicks WE can see the headers in thunderbird or the full sources with thunderbird or kerio webmail and we would know what we are looking at. But you have to know to do this. Most users don't, especially outlook users who only see a name and no email address.

  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
sgongola wrote on Tue, 24 June 2008 13:04

You are referring to normal users who legitimately want to send an email using another account and have appropriate headers showing this. Yes, you and I and others can look at the header and see the sender data or look at the receive headers and see what is happening.

Most people don't. With mailers I've used, you put in your own name and from address or you can put in anything you want. With a couple of clicks WE can see the headers in thunderbird or the full sources with thunderbird or kerio webmail and we would know what we are looking at. But you have to know to do this. Most users don't, especially outlook users who only see a name and no email address.



When it comes to sending mail as another user, you don't have to look at the headers. You're using Outlook and Thunderbird as examples, but they both handle the Sender/From scenario. It says From userA<_a.t_>domain.com on behalf of userB<_a.t_>domain.com in Outlook. Thunderbird shows the Sender right underneath the From address. If other mail clients can't handle e-mail where the Sender differs from the From address, they probably shouldn't be used for business purposes.

Now you jump into actually changing the From address within the mail client (and this is the problem with this thread by the way - people bounce back and forth from send on behalf of another user to actually changing the From address within clients, which are two different things). EVERY mail client lets you do this. I've never seen one that didn't. Every webmail I've used lets you do this. Few mail servers validate the from address either. As long as a client authenticates with a valid name and password, the message is accepted and sent. That's why so many record the authenticated user somewhere in the header. Is it a broken spec? Absolutely, but that's the way it was written and implemented. Does it need to be changed? Absolutely, but too many don't want it to. So many people have become accustom to to using these flaws for various semi-legitimate reasons they don't want it to change.

As far as removing send on behalf of another user, what I was replying to - absolutely not. Too many people use it for legitimate purposes, and any decent e-mail client should be able to handle it.

As for removing the ability to change the e-mail address in an e-mail client, I'm all for that. If it were up to me, you wouldn't even be able to specify the e-mail address, it would be based on your login information, and the server would insert it. Change the reply-to, or error-to, whatever, but you can't specify the e-mail address.


Scott
  •  
rigo

Messages: 118
Karma: -3
Send a private message to this user
So how do we get "Send on Behalf of 'other user'" to show in the BODY of the email (or prominent place), so when the reader sees the email he/she knows that the message was sent from the secretary and not the ceo?
  •  
bfrawley

Messages: 55
Karma: 0
Send a private message to this user
If you added the "From" field using outlook and put in another address it will show "Sent on behalf of Userxyz by Userabc."

If you modify the default sender address using the outlook connector settings it will look like the message actually came from "Userxyz" even thought "Userabc" sent it.
rigo

Messages: 118
Karma: -3
Send a private message to this user
bfrawley wrote on Mon, 21 July 2008 09:22

If you added the "From" field using outlook and put in another address it will show "Sent on behalf of Userxyz by Userabc."


I tried this, adding the "From" field to Outlook (Options drop down) and inserted a from email address but no joy on the receiving end--still no "Sent on behalf of Userxyz by Userabc."

Does it show in the headers or somewhere in the body of the email, do signatures need to be on?
Previous Topic: Outlook 2010 categories MISSING
Next Topic: Kerio Connect 8.1.3 released
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Sep 22 00:55:21 CEST 2017

Total time taken to generate the page: 0.00535 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.