The settings on this page govern SMTP-AUTH, which extends SMTP to include an authentication step. This effectively allows users to log in to the server when sending messages, thus ensuring that their identity is known and valid. SMTP Authentication allows you to skip many other security steps designed to catch spammers or other unauthorized users attempting to relay mail through your server by using a forged identity.
SMTP Authentication
Authentication is always required when mail is from local accounts
Click this checkbox if you wish to require authentication whenever a message is purported to be from a local account. If the SMTP session is not authenticated then the message will be refused. This option is disabled by default.
...unless message is to a local account
When you have enabled the Authentication is always required when mail is from local accounts option above, click this option if you wish to exempt messages from that requirement when the recipient is a local account. In other words, when a message from a local address is also to a local address, authentication will not be required. This option is disabled by default.
...unless message is from a domain mail server
Click this option if you wish to exempt messages from the Authentication is always required when mail is from local accounts option when they come from one of your domain mail servers.
...unless message is from a whitelisted IP address or host
Check this box if you wish to exempt the local account from the SMTP authentication requirement when the message is from a whitelisted IP address or host.
Authentication credentials must match those of the email sender
Use this option if you wish to require a sender to use only his own credentials for authentication. So, for example, frank@example.com would only be allowed to authenticate using the frank@example.com account credentials. If he attempted to authenticate using frank02@example.com then it would not be allowed, even if the frank02@example.com credentials were valid. This option is disabled by default.
Mail from 'postmaster', 'abuse', 'webmaster' requires authentication
When an email claims to be from postmaster, abuse, or webmaster at one of your local domains, authentication is required by default. This is because many spammers and unauthorized users know that those accounts or aliases exist on servers and attempt to use them to relay mail or pose as one of those authoritative addresses.
Exceptions - Domains
If you select a specific domain in the "For Domain:" drop-down list box at the top of the page when configuring these settings, that domain will be listed here after saving the settings. Click the View/Edit link for the corresponding domain to review or edit its SMTP Authentication settings, or click Reset to reset the domain's settings to the default Global values.
