How To Restrict Users From Changing the "From" Address (Doc ID 1465762.1)

Last updated on NOVEMBER 23, 2016

Applies to:

Oracle Communications Messaging Server - Version 7.0.0 and later
Information in this document applies to any platform.

Goal

Version of Messaging Server being used:

# imsimta version
Oracle Communications Messaging Exchange Server 7u4-20.01 64bit (built Nov 21 20
libimta.so 7u4-20.01 64bit (built 20:15:52, Nov 21 2010)
Using /opt/sun/comms/messaging64/config/imta.cnf (compiled)
SunOS msgfe3 5.10 Generic_141445-09 i86pc i386 i86pc

In the below scenario, MS Outlook was the client being used to change the From: address.


We have a test user called "migration11" which does not have any alias mapped with it.
abcxyz@domain.com is the mail address used when configuring MS Outlook.
migration11@domain.com is the original mail id which exists in LDAP. 

Note:  we are not using Outlook Connector, so it is not involved in this issue.

abcxyz@domain.com is not in LDAP, but if I am using Outlook and if I edit the mail ID field in Outlook with a valid email address that exists in LDAP, I can send email.  While sending the mail, Outlook connects to LDAP with the user ID mentioned in the Outlook configuration (i.e. migration11) and its password and does an AUTH with the MTA.  For this reason, the MTA allows the mail to be sent, even if the mail address is invalid.  When the mail reaches the destination, it shows as "From: migration11@domain.com on behalf of abcxyz@domain.com".

Users are abusing the system by modifying the "From" address in Outlook or by changing the email address in the Outlook profile.  For this case,  the "migration11" user should not be allowed to use an invalid email ID in the Outlook profile.  The problem with this scenario is that a user can use a valid mail ID of a high profile user, even if he/she is not authorized to do so.

How can we configure the Messaging Server to NOT allow these types of emails to be processed through?

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms