from email address can easily be forged

[florentos17]

Hello,

I set up a cyrus server with two users [email protected] and [email protected]. One can send an email in JMAP to the other. But if I modify the query and change the sender address either in (1) the header, eg From: [email protected] or (2) the envelope, eg MAIL FROM:<[email protected]> while remaining authenticated as alice, the email still gets accepted.

here is the request:

curl -X POST -H "Content-Type: application/json" -H "Accept: application/json" --user alice:secret \
-d '{"using":["urn:ietf:params:jmap:submission","urn:ietf:params:jmap:mail","urn:ietf:params:jmap:core"],"methodCalls":[["Email/set",{"accountId":"alice","create":{"4bcccbd0-d746-11ef-a99b-4bfa423265ba":{"mailboxIds":{"6c8u5hjhkqz25ipwzdz07s5m":true},"subject":"lunch tomorrow","from":[{"name":"Forged","email":"[email protected]"}],"to":[{"name":"Bob","email":"[email protected]"}],"cc":[],"bcc":[],"replyTo":[{"name":null,"email":"[email protected]"}],"htmlBody":[{"partId":"4bb12d80-d746-11ef-a99b-4bfa423265ba","type":"text/html"}],"bodyValues":{"4bb12d80-d746-11ef-a99b-4bfa423265ba":{"value":"hi bob, lets meet for lunch tomorrow !","isEncodingProblem":false,"isTruncated":false,"header:Accept-Language:asText":"fr-FR, en-US, vi-VN, ru-RU, ar-TN, it-IT, de-DE","header:Content-Language:asText":"en-US"}},"header:User-Agent:asText":"Twake-Mail/0.14.2 Dalvik/2.1.0 (Linux; U; Android 15; sdk_gphone64_x86_64 Build/AE3A.240806.005)"}}},"c0"],["EmailSubmission/set",{"accountId":"alice","create":{"4bcccbd0-d746-11ef-a99b-4bfa423265ba":{"emailId":"#4bcccbd0-d746-11ef-a99b-4bfa423265ba","envelope":{"mailFrom":{"email":"[email protected]"},"rcptTo":[{"email":"[email protected]"}]}}},"onSuccessUpdateEmail":{"#4bcccbd0-d746-11ef-a99b-4bfa423265ba":{"mailboxIds/ehh50g6px6axxvw9d3hr44ot":true,"mailboxIds/6c8u5hjhkqz25ipwzdz07s5m":null,"keywords/$seen":true,"keywords/$draft":null}}},"c1"]]}' http://localhost:8008/jmap/

and the response:

g6px6axxvw9d3hr44ot":true,"mailboxIds/6c8u5hjhkqz25ipwzdz07s5m":null,"keywords/$seen":true,"keywords/$draft":null}}},"c1"]]}' http://localhost:8008/jmap/
{"methodResponses":[["Email/set",{"oldState":"37","newState":"38","created":{"4bcccbd0-d746-11ef-a99b-4bfa423265ba":{"id":"Mc3e039970712d3982db82b57","blobId":"Gc3e039970712d3982db82b5712881c92f0f3611d","threadId":"T5213e0760c7bd88a","size":417}},"updated":null,"destroyed":null,"notCreated":null,"notUpdated":null,"notDestroyed":null,"accountId":"alice"},"c0"],["EmailSubmission/set",{"oldState":"35","newState":"39","created":{"4bcccbd0-d746-11ef-a99b-4bfa423265ba":{"id":"S2","undoStatus":"final","sendAt":"2025-01-22T15:34:35Z"}},"updated":null,"destroyed":null,"notCreated":null,"notUpdated":null,"notDestroyed":null,"accountId":"alice"},"c1"],["Email/set",{"oldState":"38","newState":"41","created":null,"updated":{"Mc3e039970712d3982db82b57":null},"destroyed":null,"notCreated":null,"notUpdated":null,"notDestroyed":null,"accountId":"alice"},"c1"]],"sessionState":"0"}

I would want the email to be rejected since there is a mismatch between the authenticated user and the sender address, but that is not the case. This happens with both cyrus 3.8.1 and 3.10.
Thank you for any suggestion as to how I could fix this !

[chibenwa]

@brong @ksmurchison can you please clarify the design and the impact on the SMTP service to be able to secure this?

I am highly disturbed by the fact a search on this repository for the terms forbiddenFrom and forbiddenMailFrom yield no result...

Thanks,

Warm regards,

Benoit