You are here: Welcome to BlueOnyx» FAQ» 5210R manual install

5210R/5211R/5212R: Prevent Sender Identity Spoofing updated

Posted by: mstauber Category: General

The feature that allows prevention of Sender Identity Spoofing has been enhanced further.

We recently published a new feature that prevents Sender Identity Spoofing in Emails sent from authenticated BlueOnyx users. 

Some users have voiced the desire to grant not only the siteAdmin the more relaxed ability to send emails using any allowed email address associated with the Vsite. Hence we just published updates for BlueOnyx 5210R, 5211R and 5212R that provide a more fine grained control over this feature.

How it Works

The full documentation can be found here.

This feature adds a Postfix enforcement layer that validates whether the sender address used during an authenticated SMTP session is actually permitted for that user.

A helper script automatically generates /etc/postfix/sender_canonical, populated based on real account data:

  • Server administrators and their aliases (if any)
  • All users of each Vsite, including each user’s email aliases
  • All Vsite email server aliases
  • The designated siteAdmin owning /web is allowed to send as any user within the same Vsite domain, ensuring PHP scripts, web applications, and webmail continue to function
  • Suspended Vsites and users, or those with email disabled, are excluded entirely
  • On a per Vsite level the restrictions can be relaxed so that chosen Users may send using any email address for as long as the domain of the sender address is associated with the Vsite. Either by the Vsite name, or one of its Email Server Aliases.

 

Per Vsite and per User settings:

If the MTA is Postfix and the feature "Prevent Sender Identity Spoofing" is enabled in the Email Server Settings, then all authenticated Users of all Vsites are prevented from sending emails with sender addresses not specifically assigned to them. The only exception is the "siteAdmin who owns /web", who can send using any email address for as long as the domain part of the address matches the FQDN of the Vsite and/or one of the Email Server Aliases of the Vsite.

The same privilege can be granted to selected users if the Vsite has "Allow Sender Identity Spoofing" enabled in its Email settings:

This is an admin level privilege that cannot be toggled by a siteAdmin. So the server administrator has to enable/disable it for Vsites.

If the feature is enabled, selected Users can be granted the privilege "Allow Sender Identity Spoofing" in their "Basic Settings":

This switch can be toggled by siteAdmins, provided the Vsite has the feature enabled.

Vsites which have the feature "Allow Sender Identity Spoofing" enabled are easy to spot in the Vsite list:

The Icon "Email" in that case changes to "Email (+)", denoting that "Allow Sender Identity Spoofing" is enabled for that Vsite. Likewise: Individual Users who are granted the privilege "Allow Sender Identity Spoofing" will also have their "Email" icon changed to "Email (+)".

 


Return
General
Nov 26, 2025 Category: General Posted by: mstauber
Previous page: BlueOnyx 5211R manual install Next page: 5210R/5211/5212R: Postfix and SNI