The settings on this page govern SMTP-AUTH, which extends SMTP to include an authentication step. This effectively allows users to log in to the server when sending messages, thus ensuring that their identity is known and valid. SMTP Authentication allows you to skip many other security steps designed to catch spammers or other unauthorized users attempting to relay mail through your server by using a forged identity.
SMTP Authentication
Authentication is always required when mail is from local accounts
Click this checkbox if you wish to require authentication whenever a message is purported to be from a local account. If the SMTP session is not authenticated then the message will be refused. This option is disabled by default.
...unless message is to a local account
When you have enabled the Authentication is always required when mail is from local accounts option above, click this option if you wish to exempt messages from that requirement when the recipient is a local account. In other words, when a message from a local address is also to a local address, authentication will not be required. This option is disabled by default.
...unless message is from a domain mail server
Click this option if you wish to exempt messages from the Authentication is always required when mail is from local accounts option when they come from one of your domain mail servers.
...unless message is from an allowlisted IP address or host
Check this box if you wish to exempt the local account from the SMTP authentication requirement when the message is from an allowlisted IP address or host.
Authentication credentials must match those of the email sender
Use this option if you wish to require a sender to use only his own credentials for authentication. So, for example, frank@example.com would only be allowed to authenticate using the frank@example.com account credentials. If he attempted to authenticate using frank02@example.com then it would not be allowed, even if the frank02@example.com credentials were valid. This option is disabled by default. Note: this option does not apply to the SMTP AUTH Password.
Mail from 'postmaster', 'abuse', 'webmaster' requires authentication
When an email claims to be from postmaster, abuse, or webmaster at one of your local domains, authentication is required by default. This is because many spammers and unauthorized users know that those accounts or aliases exist on servers and attempt to use them to relay mail or pose as one of those authoritative addresses.
Do not allow authentication on the SMTP port
When this option is enabled, AUTH will not be offered in the EHLO response and will be treated as an unknown command if provided by the SMTP client. This setting is useful in configurations where all legitimate accounts are using the MSA or other port to submit authenticated mail. In such configurations the assumption is that any attempt to authenticate on the SMTP port must be from an attacker.
Exceptions - Domains
If you select a specific domain in the "For Domain:" drop-down list box at the top of the page when configuring these settings, that domain will be listed here after saving the settings. Click the View/Edit link for the corresponding domain to review or edit its SMTP Authentication settings, or click Reset to reset the domain's settings to the default Global values.
