View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0006195SOGoBackend Mailpublic2026-04-23 10:442026-05-26 15:42
ReporterDavid Assigned Toqhivert  
PrioritynormalSeverityminorReproducibilityalways
Status assignedResolutionopen 
Platform[Server] LinuxOSRHEL/CentOSOS Version7
Product Version5.12.6 
Summary0006195: SOGoMailCustomFromEnabled = NO not enforced server-side
Description

The configuration option
SOGoMailCustomFromEnabled = NO
only disables the From field in the SOGo web UI It does not enforce any server-side validation on the /send endpoint. As a result, any authenticated user can bypass the restriction by directly POSTing to the draft send API with a modified from field in the JSON body, without needing any special tools beyond a browser's built-in DevTools.

Steps To Reproduce
  • Set SOGoMailCustomFromEnabled = NO in sogo.conf and restart SOGo
  • Log in as any user via the web interface
  • Compose an email and click Send — capture the POST request using browser DevTools (Network tab)
  • Right-click the request → Copy as fetch
  • Paste into browser Console, modify the from field in the body to any arbitrary address
  • Execute — email is delivered with the spoofed From address, HTTP 200 returned
Additional Information

When
SOGoMailCustomFromEnabled=NO
the server should validate that the submitted from value matches the authenticated user's address and reject the request if it does not.
Now users can impersonate other addresses, including potentially other users on the same domain.

TagsNo tags attached.

Activities

David

David

2026-05-18 09:36

reporter   ~0018467

Seems like a serious security bug that allow SPAM distribution from SOGo, any workaround?
qhivert

qhivert

2026-05-18 09:48

administrator   ~0018468

Hello,

SOGo is only a client of your SMTP server. It's him who allows or not authenticated user to send an email with such "from" address. There is a lot of legitimate case where the from is not the same as the authenticated user's mail.

You have to configure your postfix/others to add protection for this.
bahnkonzept

bahnkonzept

2026-05-20 20:15

reporter   ~0018482

Dear David,

I would follow the advice of Quentin and would check this over mailserver. We're using Mailcow docker from https://mailcow.email/ with integrated SOGo and can do all configurations and SPAM checks from there.

The Bahnkonzept team from Dresden/Germany
David

David

2026-05-26 15:42

reporter   ~0018486

OK, no problem, will configure SMTP to solve this, thank you.

Anyway, still in doubts - if there's a parameter advertised as "not to allow user to specify custom From," but it only disables a UI field without any server-side check, it looks like a misleading guarantee.

Issue History

Date Modified Username Field Change
2026-04-23 10:44 David New Issue
2026-05-18 09:36 David Note Added: 0018467
2026-05-18 09:48 qhivert Note Added: 0018468
2026-05-18 09:48 qhivert Assigned To => qhivert
2026-05-18 09:48 qhivert Status new => feedback
2026-05-20 20:15 bahnkonzept Note Added: 0018482
2026-05-26 15:42 David Note Added: 0018486
2026-05-26 15:42 David Status feedback => assigned