You are here: Welcome to BlueOnyx» Development» Devel Blog

New Feature: Prevent Sender Identity Spoofing

Posted by: mstauber Category: General

Most platforms talk about best practices. BlueOnyx enforces them. Automatically, consistently, and without burdening the administrator.

When a user account is compromised, attackers often waste no time turning your mail server into a spam cannon. Even with strong passwords, 2FA, outgoing volume limits, and tight MTA configurations, a determined attacker who controls valid login credentials can still cause damage. BlueOnyx now adds another layer of protection: an enforced mapping between authenticated users and the sender identities they are allowed to use.

In simple terms: An authenticated user can now only send email using addresses that belong to them. Alias spoofing and cross-account impersonation are no longer possible. Everyone else hopes users don’t spoof. BlueOnyx prevents it.

How it Works

This feature adds a Postfix enforcement layer that validates whether the sender address used during an authenticated SMTP session is actually permitted for that user.

A helper script automatically generates /etc/postfix/sender_canonical, populated based on real account data:

  • Server administrators and their aliases (if any)
  • All users of each Vsite, including each user’s email aliases
  • All Vsite email server aliases
  • The designated siteAdmin owning /web is allowed to send as any user within the same Vsite domain, ensuring PHP scripts, web applications, and webmail continue to function
  • Suspended Vsites and users, or those with email disabled, are excluded entirely

If an authenticated user attempts to send using any address not in their permitted list, the message is rejected at the SMTP envelope stage:

mstauber@beast:~$ swaks --auth-user hacked_user --auth-password '[HIDDEN]' --from billing@paypal.com --to ms@blueonyx.it --server 5212r.blueonyx.it
=== Trying 5212r.blueonyx.it:25...
=== Connected to 5212r.blueonyx.it.
<- 220 5212r.blueonyx.it ESMTP Postfix
 -> EHLO beast.smd.net
<- 250-5212r.blueonyx.it
<- 250-PIPELINING
<- 250-SIZE 102400000
<- 250-ETRN
<- 250-STARTTLS
<- 250-AUTH PLAIN LOGIN
<- 250-ENHANCEDSTATUSCODES
<- 250-8BITMIME
<- 250 DSN
 -> AUTH LOGIN
<- 334 [HIDDEN]
 -> [HIDDEN]
<- 334 [HIDDEN]
 -> [HIDDEN]
<- 235 2.7.0 Authentication successful
 -> MAIL FROM:<billing@paypal.com>
<- 250 2.1.0 Ok
 -> RCPT TO:<ms@blueonyx.it>
<** 553 5.7.1 <billing@paypal.com>: Sender address rejected: not owned by user 'hacked_user'
 -> QUIT
<- 221 2.0.0 Bye
=== Connection closed with remote host.

This protects against a broad class of abuse where attackers authenticate legitimately but attempt to spoof the sender identity to bypass filters or impersonate others.

What It Protects

This enforcement applies to all SMTP transactions that use SASL authentication. This includes nearly all mail submitted from external clients and many mails generated through authenticated applications.

What It Cannot Cover

Emails sent locally on the server through direct /usr/sbin/sendmail invocation, such as cronjobs or system scripts, bypass authentication and therefore cannot be subject to the same verification. Mitigating those cases would require an outbound content-enforcing milter, which introduces incompatibilities with common BlueOnyx features (such as mailing lists) and would be too disruptive.

Deployment Details

To avoid unexpected behavior changes, the feature is disabled by default on systems that receive the update through YUM/DNF.

However, on fresh installations where the web-based setup has not yet been completed, the feature is enabled by default to provide immediate protection from day one.

A new switch under "Network Services" / "Email" called "Prevent Sender Identity Spoofing" now allows administrators to enable or disable this protection. When enabled, BlueOnyx maintains the sender identity mapping automatically.

This update significantly raises the bar for abuse prevention, limiting the impact of compromised accounts and reducing the likelihood of your server being misused as a spam source. While other solutions still rely on hope, policy text, and good intentions, BlueOnyx ships with real enforcement. This is what hardening looks like when the platform actually takes responsibility for security. 

We hope you like this feature and that it will serve you well.


Return
General
Nov 16, 2025 Category: General Posted by: mstauber
Previous page: Development Next page: BlueOnyx Discord