How to prevent spoofing of local email addresses

How to prevent spoofing of local email addresses

One common use for the Exception command is to prevent email spoofing. The following commands force SMTP connections to authenticate if they claim to be from example.com or any of its subdomains:

CLI> Exception Add smtp:in smtpauth (sender=*@example.com) required

CLI> Exception Add smtp:in smtpauth (sender=*@*.example.com) required

Combined with Relay Add for local IP addresses and trusted mail servers, this forces all incoming SMTP connections from the external Internet to authenticate. So if email falsely claims that its sender is @example.com, in this case it gets rejected with a “530 MAIL requires AUTH†error. Local users would be asked to authenticate (supply a password) if they have not already done so using POP or IMAP. 

The Exception commands above are recommended for educational institutions and service providers that cannot trust every member of their online community. For organizations that trust their users, the authentication step (password for sending) can be avoided by disabling Smtpauth when the originating IP address is inside the local network, in this case 10.7.0.0 with netmask 255.255.0.0. 

CLI> Exception Add smtp:in smtpauth (sender=*@example.com) required
CLI> Exception Add smtp:in smtpauth (sender=*@*.example.com) required
CLI> Exception Add smtp:in smtpauth (domain=10.7.0.0/16)(sender=*@example.com) off
CLI> Exception Add smtp:in smtpauth (domain=10.7.0.0/16)(sender=*@*.example.com) off

For more information please refer to the Protocol Manual's Exception Command.