mirror of
https://github.com/anonaddy/anonaddy.git
synced 2026-04-25 14:15:53 +03:00
[GH-ISSUE #76] Disable automatic alias creation #115
Labels
No labels
bug
pull-request
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/anonaddy#115
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @piramiday on GitHub (Sep 15, 2020).
Original GitHub issue: https://github.com/anonaddy/anonaddy/issues/76
hi all, love the service!
I have a feature to suggest: disable automatic alias creation as an option.
since this has been mostly thought of as a way to protect from spam, I clearly see a "vulnerability".
if a database has been leaked and an email address compromised, say, whatever@username.anonaddy.me, then a malicious actor has a certain way to spam the user behind that email address.
as long as the email headers check out and emails get forwarded by anonaddy, of course, the bad actor can make up any non-existent alias to that username, e.g. non-existent-alias@username.anonaddy.me
the user might disable that alias, since it fell into the hand of spammers, but the bad actor can always make up another one.
this could be solved if, as an option, a user could specify to allow incoming emails only for the user-created aliases.
what do you think? thanks!
@willbrowningme commented on GitHub (Sep 21, 2020):
Thanks for your suggestion, definitely something I would like to add for username subdomains (e.g. @johndoe.anonaddy.com) and custom domains.
Ideally it would be best to do this in the Postfix config, I will investigate and see if I can figure something out.
@TomasTokaMrazek commented on GitHub (Sep 30, 2020):
I just came here to post this issue. I was a bit surprised, that this is not an option already. It's not just spamming recipient email via one nonexistent alias, it's also the possibility for a malicious actor to spam alias creation. He can create hundreds of random aliases in my account in a span of one loop script.
With automatic alias creation disabled it would make sense to extend browser extensions to create not just UUID / Random Word alias, but also a standard alias.
@willbrowningme commented on GitHub (Oct 1, 2020):
Yes you're right. I'll make this one of the next things I work on.
@willbrowningme commented on GitHub (Oct 8, 2020):
This has just been added for custom domains in the latest release and will be added for additional usernames and the main account username shortly.
@willbrowningme commented on GitHub (Oct 9, 2020):
This has also just been added in v0.5.0 for additional usernames.
@FrozenVertx commented on GitHub (Oct 11, 2020):
Is it possible to add passcode when making new allias
for example I want to make github@example.anonaddy.com then I type github+my_passcode_to_generate_particular_alias@example.anonaddy.com to create above alias just like forwarding service and I determine the passcode for alias creation when disable autoalias creation.
just a suggestion, if possible then it is very handy
@willbrowningme commented on GitHub (Oct 12, 2020):
@just-opensource It would be possible but I'm not sure there is much of a use case for that feature.
It would be easier to use the browser extension to just create the alias you want
github@example.anonaddy.comif you had catch-all turned off instead of sending yourself an email.@FrozenVertx commented on GitHub (Oct 12, 2020):
I know browser extension is quick but for emergencies there should be a backup especially when you are away from pc and using another person's pc and don't want to install extension.
I use extension rarely and its really easy to just type the email and email is created.
Anyway with/without it anonaddy is always best.
@willbrowningme commented on GitHub (Oct 12, 2020):
Thanks! There is also an open-source Android app on F-Droid that has been created by a developer named Stjin.
@FrozenVertx commented on GitHub (Oct 12, 2020):
O I totally don't know about android app ,thanks for informing about app I will try it.
@willbrowningme commented on GitHub (Oct 16, 2020):
In v0.6.0 you can now disable catch-all (automatica alias creation) for the main account username.
@TomasTokaMrazek commented on GitHub (Oct 21, 2020):
@willbrowningme I didn't want to create other issue, but the "Update Default Alias Format" is missing the newly added "Custom" option.
@willbrowningme commented on GitHub (Oct 21, 2020):
@TomasTokaMrazek Thanks, I did miss that! Just pushed an update out today.
@vlad-tim commented on GitHub (Jan 24, 2021):
@willbrowningme Imagine a self-hosted server with
example.comdomain and a single admin userjohndoe.Disabling Catch-All discards emails to
random@johndoe.example.com. Is it possible to do the same for emails coming to the root domain e.g.random@example.com?@willbrowningme commented on GitHub (Jan 27, 2021):
@vlad-timofeev You can acheive this by simply setting
ANONADDY_ADMIN_USERNAMEin your.envfile as empty:Then you won't receive emails for
example.comunless they already exist.@vlad-tim commented on GitHub (Jan 27, 2021):
@willbrowningme It works, thank you. I forgot that non-admin users can create aliases at root domain.