RE: [IMail Forum] Non-existent user able to send to localhost users

[admin]

I’m confused.  He shouldn’t be able to use your SMTP unless he is:   Coming from a trusted IP Authenticating with an active account and password,    If you are using Declude maybe you can add your own domain to a spam domains test if he is using @yourdomain.com maybe this could add enough weight to it to prevent it from getting through.  OR I think  you can whitelistauth if you are using IMAIL 8 so anyone who authenticates will be whitelisted.  I’m tired and I feel like I’m rambling…. Hopefully someone will clear up what I am trying to say.   Marc     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dale McDiarmid Sent: Wednesday, March 10, 2004 10:05 PM To: [EMAIL PROTECTED] Subject: Re: [IMail Forum] Non-existent user able to send to localhost users   At 05:52 PM 3/10/2004, you wrote: On Wednesday, March 10, 2004, 19:22:19, Brad Morgan wrote: >   ... > Let me see if I have this right... > > Dale says he's setup for no relay. > > I believe that if you have no relay set then only users that authenticate > can send mail through your server (to other domains). Correct. > If you have relay for IP addresses set, then only those IPs can send > through your server (to other domains) without authenticating > (authentication is still allowed). In all cases, anyone can send mail > addressed to your domain. Correct. > If I'm right, then when you "fire" an employee, you delete his email > account (or change its password) and they can no longer use your > server to send email to the outside. Correct  but if I read his question correctly he's not complaining about the   ex-employee   relaying  thru  his  server  to  the  outside,  he's complaining about the ex-employee sending to other employees. That is what I'm concerned about here, yes. > The above employee can, however, send mail claiming he is still @yourdomain > if he can find an SMTP server to use.  This is the classic spoofed from > address.  I guess its easy enough to forget to change that information in > your profile and if the new SMTP server doesn't check... > My problem is there's no "..if he can find an SMTP server to use". He already knows an SMTP server to use. Mine. > If I understand SPF correctly, it prevents this last case. Yes. > If you verify the from address, doesn't that also prevent this last > case (at least for mail sent to your domain)? Yes. According to IMail, if I use the Verify MAIL FROM Address feature (as found on the Connection Filtering tab of Antispam feature), then no one can send anything unless I add Trusted IP Addresses. I'll research SPF, but the way I understand it; without SPF I'm stuck with choosing between A) Not authenticating anyone who says they're from my domain (and knows my SMTP) as long as they're sending to someone in my domain, B) Prevent emps from using email from at home on dialup. Thx, D.