SMTP Authentication (AUTH)
Authentication is always required when mail is from local accounts
When this option is enabled and an incoming message claims to be from one of MDaemon's domains, the account must first be authenticated or MDaemon will refuse to accept the message for delivery. This option is enabled by default.
...unless message is to a local account
If you are requiring authentication when a message is from a local sender, but wish to skip the authentication restriction when the recipient is local as well, then click this option. Note: this may be necessary in some situations where you require some of your users to use different mail servers for outgoing and incoming mail.
...unless Domain Sharing finds the sender on another server
By default, when Domain Sharing finds the sender on another server, that sender will be exempt from the Authentication is always required... option above. Clear this checkbox if you wish to require authentication from those senders as well.
Authentication is always required when mail is sent from local IPs
Enable this option if you wish to require authentication when an incoming message is being sent from a local IP address. If unauthenticated the message will be rejected. Trusted IPs are exempt, and this option is enabled by default for new installations.
Credentials used must match those of the return-path address
By default, the credentials used during SMTP authentication must match those of the address found in the message's return-path. Disable this option if you do not wish to require the return path to match. To support gateway mail storage and forwarding, there is a corresponding option located on the Global Gateway Settings screen that will "Exempt gateway mail from AUTH credential matching requirements" by default.
Credentials used must match those of the 'From:' header address
By default, the credentials used during SMTP authentication must match those of the address found in the message's "From:" header. Disable this option if you do not wish to require the "From:" header to match. To support gateway mail storage and forwarding, there is a corresponding option located on the Global Gateway Settings screen that will "Exempt gateway mail from AUTH credential matching requirements" by default.
Exempt list
Use the Credentials Matching Exempt List to exempt an address from the "Credentials used must match..." options above. To be exempt from the "...must match those of the return-path address" option, the exempt address must match the address in the message's Return-Path. To be exempt from the "...must match those of the 'From:' header address" option, the exempt address must match the address in the message's From: header.
Mail from 'Postmaster', 'abuse', 'webmaster' must be authenticated
Click this checkbox to require messages claiming to be from one of your "postmaster@...", "abuse@..." or "webmaster@..." aliases or accounts to be authenticated before MDaemon will accept them. Spammers and hackers know that these addresses might exist, and may therefore attempt to use one of them to send mail through your system. This option will prevent them and other unauthorized users from being able to do so. This option is mirrored on the Settings screen of Aliases. Changing the setting here will change it there as well.
Do not apply POP Before SMTP to authenticated sessions
If you are utilizing the POP Before SMTP security feature, you can click this option to make authenticated users exempt from this restriction. An authenticated user will not need to check his or her email before sending messages.
Do not allow authentication on the SMTP port
This option disables AUTH support over the SMTP port. AUTH will not be offered in the EHLO response, and will be treated as an unknown command if provided by the SMTP client. This setting and the "...add their IP to the Dynamic Screen" option below are useful in configurations where all legitimate accounts are using the MSA or other port to submit authenticated mail. In such configurations the assumption is that any attempt to authenticate on the SMTP port must be from an attacker.
...add their IP to the Dynamic Screen if they attempt it anyway
When using the Do not allow authentication on the SMTP port option above, this option will add to the Dynamic Screen any IP address of any client that attempts to authenticate on the SMTP port anyway. The connection will also be immediately terminated.
