How to block fake local email addresses from delivering mail?
Question asked by Philip Van Pul - December 3, 2015 at 8:31 AM
Hi all, my first post...
I'm not sure how to search for this in the knowledge base or community. This may already be answered, and if so, I apologize for the duplication; and would appreciate a link to the pertinent thread,
I've seen quite a few instances where an fake email address using one of our domain names is used to send mail inbound to the server from outside our organization to a valid email account on our server.  The domain portion is correct, but the email root is not.
Example:  We host the domain and sends an email to from an outside server.  There is no email/user on our server. The fake@ email is delivered through port 25 unauthenticated (just like any other email). 
It seems that by default SmarterMail 11 allows this.  I run a few other mail servers and they all seem to disallow this out of the box, recognizing that the fake@ is not a valid user.
Is there a setting that governs this?
(Note that I considered the use of spf in our dns, but I'll have to make changes to the mail systems at some of our remote properties to make that work,)

3 Replies

Reply to Thread
Settings, Protocol Settings, SMTP In then check the "Enable domain's SMTP auth setting for local deliveries" box.
Hi Joe,
thanks for replying!
That setting seems to cause some issues with out copier/scanners that use the mail server to send out.  They can scan to outside addresses (as they authenticate to do that), but cannot deliver to internal ones.  I'll need to get our local IT support in those locations to have a look at the settings in those machines.  For now I disabled that setting again. (I did establish spf in our dns last night. Still testing that.)
The setting that Joe pointed him to is hard to find, difficult to understand, and should be eliminated.
Instead, this existing check box at the domain level should require SMTP Auth for all users. Period.
Eliminating the local deliveries check box will make SM easier to set up and more hardened against spammers.

Reply to Thread