how_to:allowing_mail_relay_through_vpop3

How To Allow Mail Relay Through VPOP3

If you are allowing remote access into VPOP3 to collect mail then you may also want those remote users to be able to send their outgoing mail through VPOP3 as well.

This is more complex than allowing users to collect mail, because, by default, SMTP connections are not authenticated. This means that when someone tries to send a message through VPOP3, VPOP3 doesn't know who that user is. This can cause a problem if unauthorised users try to send mail through VPOP3, as you will want to block those users, whilst still allowing legitimate users to send mail.

The default VPOP3 settings will tell VPOP3 which computer IP addresses are allowed to send outgoing messages, so VPOP3 checks the IP address of the computer which is connected to it to work out whether that user can send outgoing messages. However, if you want to allow remote users to send mail, you may not know the IP addresses of the remote users' PCs.

In this case, you need to change the VPOP3 configuration to make it use the 'Authentication' extension to the SMTP protocol so that your remote users can log on before sending mail. This works fine as long as the remote users are using email client software which supports SMTP authentication. (Most modern email clients do, but some older ones don't).

To do this, go to the Services → SMTP page in the VPOP3 settings.

In the SMTP Authentication box, choose Required, and check the Do not require SMTP authentication for internal/incoming mail option.

(In earlier versions you may need to check the Require SMTP Authentication and *Do not require SMTP authentication for internal/incoming mail options instead.) Make sure the SMTP Anti-Relay Protection method is set to Check Client IP Address. =====VPOP3 Version 5 or later===== Go to the SMTP Server → IP Access Restrictions tab The default settings will have Block - routers and Allow - Local Nets entries. These will block the router itself from sending outgoing email, and anyone on the local network will be able to send outgoing mail. Now you have checked the Require SMTP Authentication box, local users will still be able to send mail, but only if they change their email client configuration to use SMTP authentication. If you wish, you may check the Allow Unauth box next to the Local Nets entry to allow your local users to send mail without authenticating. If you have added any other 'trusted' networks, eg other subnets on your office network, you may also choose to check the Allow Unauth box for those rules as well. Then, add another restriction to Allow - Any. Do NOT check the No Auth box for this entry. This lets any user send mail as long as they have authenticated first. If you wish, you can click on the cell in the Users column on the Allow Any row to select users who can send mail from the Internet. If you don't do this, then any user can send mail from the Internet. In the screenshot above, we have allowed the 'support' and 'webmaster' to send outgoing mail from the Internet. =====VPOP3 Version 3 or 4===== Go to the SMTP Server → IP Access Restrictions tab If you still have your default access restrictions in play, you may check the No Auth box next to the network address for your local network. This will allow your local users to send mail without authenticating. (This is optional, you may wish to require your local users to authenticate as well, for extra security) Add another restriction to Allow - Any. Do NOT check the No Auth box for this entry. This lets any user send mail as long as they have authenticated first. You can optionally add VPOP3 account names to the Allow Any entry if you want to restrict the users who can send mail from the Internet, eg Allow Any - fred bob**

means that only the fred and bob user accounts can send mail from the Internet

VPOP3 Version 1.5

You now need to modify the entries in the Access Restrictions box. If you currently have there something like:

192.168.1.0 255.255.255.0

change it to

NOGLOBAL
192.168.1.0 255.255.255.0 noauth
0.0.0.0 0.0.0.0

This tells VPOP3 that users on the 192.168.1.0 subnet can send mail without needing to authenticate, and users on the rest of the Internet (0.0.0.0 0.0.0.0) can send mail as long as they authenticate first. The NOGLOBAL tells VPOP3 not to let the global access restrictions (set on the Services page) override the SMTP service specific settings.

The Do not require SMTP authentication for internal/incoming mail option tells VPOP3 to still allow incoming SMTP messages if you use that facility.

You can optionally add VPOP3 account names to the 0.0.0.0 0.0.0.0 line if you want to restrict the users who can send mail from the Internet, eg

0.0.0.0 0.0.0.0 fred bob

means that only the fred' and bob user accounts can send mail from the Internet If you want all users (including local users) to have to authenticate with VPOP3 before sending mail, you can remove the noauth'' text at the end of the line allowing access from your local LAN.

how_to/allowing_mail_relay_through_vpop3.txt · Last modified: 2018/11/14 10:45 by 127.0.0.1