It seems like smartermail is not taking SPF into account within the context of the following SMTPin setting
Settings > Protocol Settings > SMTPin > "Enable domain's SMTP auth setting for local deliveries"
We are a hosting company and frequently our clients have need to send mail through a 3rd party email service. We have added the appropriate SPF records to our client's domains - however inevitably when they try to send themselves a test message from a 3rd party mail server, they get a "550 Authentication is required for relay" message. The FROM address is a local mailbox, the TO address is a local mailbox, and the sending server passes an SPF check.
As I understand, this is related (at least in part) to a setting within SmarterMail's SMTPin Settings which reads "Enable domain's SMTP auth setting for local deliveries". We have that setting enabled, and at each domain we have the "Enable SMTP Authentication" setting enabled as well. This effectively blocks random spammers from emailing FROM @ourcustomer.com to @ourcustomer.com - however it is also forcing authentication on legitimate 3rd party mail servers that are authorized in the domain's SPF record.
Obviously we don't want to disable SMTP authentication at the domain level, so the only workaround we have found is to add the sending SMTP servers IP address(es) to the SMTP Authentication Bypass whitelist. Unfortunately that is not really a sustainable workaround.
I am not sure if this behavior changed in smartermail over the last 6 months or so (we are running 14.5.5...), or if our customers are just using 3rd parties for SMTP more often - but in either case I have found myself adding more and more whitelist entries over the last few months.
Senders are usually pretty good about updating their own SPF records, and since we include the senders SPF records in our customer's domain SPF records - we theoretically have a pretty up to date list of IP addresses that should be allowed to send mail through our customers domain and should not need any whitelist entries.
If the sender doesn't pass an SPF check for the FROM address, then i'm fine with our server rejecting with a 550 authentication required message, however if the sending IP passed an SPF check - smartermail should not require authentication for delivery to local users.
Has anyone else run into this and/or come up with another workaround that does not result in a less secure SMTP configuration?