Outlook allows sending as another user — how to lock this down in SmarterMail?

Problem reported by Nabil SENHADJI - Today at 1:00 PM

Submitted

Hello everyone,

I’d like to share an issue we’re experiencing with SmarterMail that’s starting to impact our day-to-day operations, in the hope that someone in the community might have insights or that it can help move the ongoing support investigation forward.

Issue Summary:

An authenticated user using Outlook can send emails using an address other than their own, even if that address is not an authorized alias.

Example: user@domain.com can send an email as ceo@domain.com, which closely resembles internal spoofing.

The "Require Auth Match" option is enabled but does not seem to prevent this behavior.

Discussions with SmarterTools Support:

We’ve opened tickets with support. While communication has taken place, the suggestions provided so far have not resolved the issue.

One recommendation was to disable the "Allow relay for authenticated users" option (Settings > Protocols > SMTP In), which completely blocks email sending via Outlook — therefore, not a viable solution.

We understand that SmarterMail adheres strictly to the RFC standards, distinguishing the following:

"Mail From" (RFC5321 – used for the SMTP envelope and authentication),
from "From" (RFC5322 – the address displayed to the recipient).

However, this issue only occurs through Outlook, and not when using the webmail interface.

Our Findings:

Even when authenticated, a user can freely change the "From" field in Outlook.

Unlike other platforms, SmarterMail does not enforce that the sender address must be the authenticated user's address or one of their aliases.

While this behavior may be RFC-compliant, it presents a significant risk in a professional environment, where any user could impersonate a CEO or another internal user.

Has anyone else experienced this kind of issue?
Is there any configuration or workaround in SmarterMail that would lock the "From" address to the authenticated identity, or at least reject messages where the sender doesn’t match the authenticated user?

Thanks in advance to anyone who can share insights or solutions.

Best regards,

3 Replies

Reply to Thread

Daniel Replied

Today at 1:14 PM

Is it possible that there is an iprange under "Settings" -> "Security" -> "Whitelist" that matches your clients ip range and that has "bypass SMTP Authentication" active ?

Nabil SENHADJI Replied

Today at 1:27 PM

Thank you for your response Daniel,

We’ve already checked the IP Whitelist settings under Settings > Security > Whitelist, and the only entries present are the default ones created by SmarterMail during installation. These entries correspond to private IP ranges (e.g., local subnets), while our users connect via public IPs — so they are not covered by any existing whitelist rule.

Also, this is not a case of bypassing SMTP authentication. On the contrary, the users authenticate properly with their own credentials.

For example, the user logs in with user1@example.com, but is still able to send an email where the "Mail From" is set to user2@example.com, or even to an address from a completely unrelated domain.

This behavior only occurs when using Outlook. When sending from the SmarterMail webmail interface, everything works as expected and the "From" address cannot be changed arbitrarily.

That’s the real issue we’re trying to address — preventing authenticated users from sending as any arbitrary address, whether internal or external.

Thanks again for looking into this!

Brian Bjerring-Jensen Replied

Today at 1:38 PM

NO matter what I do I am not allowed to send on other peoples behalf.

Your message did not reach some or all of the intended recipients.

Subject: test
Sent: 13-05-2025 22:35

The following recipient(s) cannot be reached:

'Pope Francis' on 13-05-2025 22:35
This message could not be sent. You do not have the permission to send the message on behalf of the specified user.

__________________________________________________

Diagnostic information for administrators:
__________________________________________________

Error is [0x80070005-0x000004dc-0x00000524].

Exchange response headers:
request-id: 054d77c2-e4f7-4fea-929c-ededce80e437
X-ServerApplication: Exchange/15.01.1847.001
X-FEServer: SMARTERMAIL
X-BEServer: SMARTERMAIL
X-CalculatedBETarget: papam@francis.dk
X-RequestId: {0C0B8D18-3410-4CB6-BAC2-F211EA94965D}:1309
X-ClientInfo: {DD372C53-E973-452A-A8D0-5715904CE054}:174640043
X-ElapsedTime: 2
X-ResponseCode: 0
X-DiagInfo: SMARTERMAIL
X-RequestType: Execute
__________________________________________________

ROPs Summary:

0: ropRelease (1) Processed(1) Completed(0)
ROP result: 0
Response codes: 0
1: ropSetProps (10) Processed(1) Completed(0)
ROP result: 0
Response codes: 0
2: ropSetProps (10) Processed(1) Completed(0)
ROP result: 0
Response codes: 0
3: ropFlushRecipients (14) Processed(1) Completed(0)
ROP result: 0
Response codes: 0
4: ropSetProps (10) Processed(1) Completed(0)
ROP result: 0
Response codes: 0
5: ropTransportSend (74) Processed(1) Completed(0)
ROP result: 0
Response codes: 1244
__________________________________________________

Transport-Send failed: failure enum(25), HResult(0x00000000), EC(1244).
Transport-Send failed: failure enum(22), HResult(0x00000000), EC(1244).
Submit-Message failed: message id(39), failure enum(13), HResult(0x80070005), EC(1244).

Back to Community Threads

Please leave this box unchecked

Reply to Thread

Enter the verification text

Issue Summary:

Discussions with SmarterTools Support:

Our Findings:

3 Replies

Reply to Thread

Tags

Related Knowledge Base Articles