Please enable JavaScript to view this site.

MDaemon Email Server 24.5

Navigation: Security Menu > Security Manager > Sender Authentication

SMTP Authentication

Scroll Prev Top Next More

SMTP Authentication (AUTH)

Authentication is always required when mail is from local accounts

When this option is enabled and an incoming message claims to be from one of MDaemon's domains, the account must first be authenticated or MDaemon will refuse to accept the message for delivery. This option is enabled by default.

...unless message is to a local account

If you are requiring authentication when a message is from a local sender, but wish to skip the authentication restriction when the recipient is local as well, then click this option. Note: this may be necessary in some situations where you require some of your users to use different mail servers for outgoing and incoming mail.

...unless Domain Sharing finds the sender on another server

By default, when Domain Sharing finds the sender on another server, that sender will be exempt from the Authentication is always required... option above. Clear this checkbox if you wish to require authentication from those senders as well.

Authentication is always required when mail is sent from local IPs

Enable this option if you wish to require authentication when an incoming message is being sent from a local IP address. If unauthenticated the message will be rejected. Trusted IPs are exempt, and this option is enabled by default for new installations.

 

Credentials used must match those of the return-path address

By default, the credentials used during SMTP authentication must match those of the address found in the message's return-path. Disable this option if you do not wish to require the return path to match. To support gateway mail storage and forwarding, there is a corresponding option located on the Global Gateway Settings screen that will "Exempt gateway mail from AUTH credential matching requirements" by default.

Credentials used must match those of the 'From:' header address

By default, the credentials used during SMTP authentication must match those of the address found in the message's "From:" header. Disable this option if you do not wish to require the "From:" header to match. To support gateway mail storage and forwarding, there is a corresponding option located on the Global Gateway Settings screen that will "Exempt gateway mail from AUTH credential matching requirements" by default.

Exempt list

Use the Credentials Matching Exempt List to exempt an address from the "Credentials used must match..." options above. To be exempt from the "...must match those of the return-path address" option, the exempt address must match the address in the message's Return-Path. To be exempt from the "...must match those of the 'From:' header address" option, the exempt address must match the address in the message's From: header.

 

Mail from 'Postmaster', 'abuse', 'webmaster' must be authenticated

Click this checkbox to require messages claiming to be from one of your "postmaster@...", "abuse@..." or "webmaster@..." aliases or accounts to be authenticated before MDaemon will accept them. Spammers and hackers know that these addresses might exist, and may therefore attempt to use one of them to send mail through your system. This option will prevent them and other unauthorized users from being able to do so. This option is mirrored on the Settings screen of Aliases. Changing the setting here will change it there as well.

Do not apply POP Before SMTP to authenticated sessions

If you are utilizing the POP Before SMTP security feature, you can click this option to make authenticated users exempt from this restriction. An authenticated user will not need to check his or her email before sending messages.

Do not allow authentication on the SMTP port

This option disables AUTH support over the SMTP port. AUTH will not be offered in the EHLO response, and will be treated as an unknown command if provided by the SMTP client. This setting and the "...add their IP to the Dynamic Screen" option below are useful in configurations where all legitimate accounts are using the MSA or other port to submit authenticated mail. In such configurations the assumption is that any attempt to authenticate on the SMTP port must be from an attacker.

...add their IP to the Dynamic Screen if they attempt it anyway

When using the Do not allow authentication on the SMTP port option above, this option will add to the Dynamic Screen any IP address of any client that attempts to authenticate on the SMTP port anyway. The connection will also be immediately terminated.