Hi,
I have installed Stalwart with a LDAP connection to Windows AD. Everyting works as expected, users are created, groups are created and member users can read group meails.
What I find out is that any user can send on behalf of any group, member or not.
Is there any possibility to limit this? I mean only the users which are members of a group to be able to send on behalf of that group.
Thanks,
Andrei
Based on my research, here is what the docs say and what’s available to you:
Stalwart’s isSenderAllowed expression on the MAIL FROM stage controls whether a sender address is accepted, but the available expression variables (sender, sender_domain, authenticated_as, etc.) do not include a built-in function to check whether authenticated_as is a member of the group address used as sender. There is no native “is this authenticated user a member of the group they’re sending as” check built into the expression engine.
However, there are two approaches that could work depending on your setup:
1. Sieve script at the MAIL FROM stage
You can attach a Sieve script to the MAIL FROM stage via the script field on MtaStageMail. The script has access to envelope variables and can use the extlists extension to check against lookup stores. If you maintain a lookup table mapping each group address to its allowed senders, the Sieve script can reject the MAIL FROM if the authenticated user is not on that list. This requires building and maintaining that lookup store separately (since Stalwart’s internal LDAP directory is not directly queryable from Sieve’s extlists).
2. Using isSenderAllowed with an explicit allowlist
You can also customize the isSenderAllowed expression with a key_exists call against a lookup store you populate manually with allowed sender/group pairs.
Neither approach provides an automatic, LDAP-backed “only members can send as the group” policy out of the box today. The LDAP filterMemberOf setting controls how group memberships are resolved for mail delivery, not for sender authorization.
Relevant docs:
A staff member may be able to confirm whether a more direct approach (e.g. a Sieve vacation/extlists lookup against the internal directory, or a planned feature) is possible or on the roadmap.
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.
The setting that enforces this is mustMatchSender on the auth stage (AUTH stage | Stalwart). It’s true by default, but if you have a custom auth stage in the WebUI it’s worth checking that field. With it on, a user can only use a MAIL FROM address that is either their own address or an address inherited from a group they’re member_of; an outsider trying to send as a group they don’t belong to gets 501 5.5.4 You are not allowed to send from this address.
A couple of things would help me confirm what you’re seeing: is mustMatchSender actually true on your auth stage, and does the unauthorised send succeed silently or fail with the 501? And in your LDAP/AD directory definition, does the memberOf mapping populate the group membership for the user attempting the send? If the group’s email address is set on the Group object and the user’s member_of includes that Group, the check should refuse the impersonation; if the Group’s address list is empty, anything goes.