=====How To Allow Mail Relay Through VPOP3=====

If you are allowing remote access into VPOP3 [[Allow Remote Access to VPOP3 Mailboxes|to collect mail]] then you may also want those remote users to be able to send their outgoing mail through VPOP3 as well.

This is more complex than allowing users to collect mail, because, by default, SMTP connections are not authenticated. This means that when someone tries to send a message through VPOP3, VPOP3 doesn't know who that user is. This can cause a problem if unauthorised users try to send mail through VPOP3, as you will want to block those users, whilst still allowing legitimate users to send mail.

The default VPOP3 settings will tell VPOP3 which computer IP addresses are allowed to send outgoing messages, so VPOP3 checks the IP address of the computer which is connected to it to work out whether that user can send outgoing messages. However, if you want to allow remote users to send mail, you may not know the IP addresses of the remote users' PCs.

In this case, you need to change the VPOP3 configuration to make it use the 'Authentication' extension to the SMTP protocol so that your remote users can log on before sending mail. This works fine as long as the remote users are using email client software which supports SMTP authentication. (Most modern email clients do, but some older ones don't).

To do this, go to the **Services -> SMTP** page in the VPOP3 settings.

In the **SMTP Authentication** box, choose **Required**, and check the **Do not require SMTP authentication for internal/incoming mail** option.

(In earlier versions you may need to check the **Require SMTP Authentication** and *Do not require SMTP authentication for internal/incoming mail** options instead.)

Make sure the **SMTP Anti-Relay Protection** method is set to **Check Client IP Address**.

=====VPOP3 Version 5 or later=====
Go to the **SMTP Server -> IP Access Restrictions** tab

{{:how_to:smtpaccessrestrict5.png?nolink|}}

The default settings will have **Block - routers** and **Allow - Local Nets** entries. These will block the router itself from sending outgoing email, and anyone on the local network will be able to send outgoing mail.

Now you have checked the **Require SMTP Authentication** box, local users will still be able to send mail, but only if they change their email client configuration to use SMTP authentication. If you wish, you may check the **Allow Unauth** box next to the **Local Nets** entry to allow your local users to send mail without authenticating. If you have added any other 'trusted' networks, eg other subnets on your office network, you may also choose to check the **Allow Unauth** box for those rules as well.

Then, add another restriction to **Allow - Any**. Do NOT check the **No Auth** box for this entry. This lets any user send mail as long as they have authenticated first.

If you wish, you can click on the cell in the **Users** column on the **Allow Any** row to select users who can send mail from the Internet. If you don't do this, then any user can send mail from the Internet. In the screenshot above, we have allowed the 'support' and 'webmaster' to send outgoing mail from the Internet.


=====VPOP3 Version 3 or 4=====
Go to the **SMTP Server -> IP Access Restrictions** tab

If you still have your default access restrictions in play, you may check the **No Auth** box next to the network address for your local network. This will allow your local users to send mail without authenticating. (This is optional, you may wish to require your local users to authenticate as well, for extra security)

Add another restriction to **Allow - Any**. Do NOT check the **No Auth** box for this entry. This lets any user send mail as long as they have authenticated first.

{{:how_to:smtprelay1.png|}}

You can optionally add VPOP3 account names to the **Allow Any** entry if you want to restrict the users who can send mail from the Internet, eg

** Allow Any - fred bob**

means that only the ''fred'' and ''bob'' user accounts can send mail from the Internet


=====VPOP3 Version 1.5=====
You now need to modify the entries in the ''Access Restrictions'' box. If you currently have there something like:

  192.168.1.0 255.255.255.0

change it to

  NOGLOBAL
  192.168.1.0 255.255.255.0 noauth
  0.0.0.0 0.0.0.0

This tells VPOP3 that users on the 192.168.1.0 subnet can send mail without needing to authenticate, and users on the rest of the Internet (0.0.0.0 0.0.0.0) can send mail as long as they authenticate first. The ''NOGLOBAL'' tells VPOP3 not to let the global access restrictions (set on the ''Services'' page) override the SMTP service specific settings.

The ''Do not require SMTP authentication for internal/incoming mail'' option tells VPOP3 to still allow incoming SMTP messages if you use that facility.

You can optionally add VPOP3 account names to the 0.0.0.0 0.0.0.0 line if you want to restrict the users who can send mail from the Internet, eg

  0.0.0.0 0.0.0.0 fred bob

means that only the ''fred' and ''bob'' user accounts can send mail from the Internet

If you want all users (including local users) to have to authenticate with VPOP3 before sending mail, you can remove the ''noauth'' text at the end of the line allowing access from your local LAN.

{{tag>security services remote relay}}