Hi,

Been setting up email account today in DSM Version: 3.0-42 and found that you dont need to use SMTP authentication on you mail client to be able to send. I also tested sending mail from a completely random domain name and it was allowed to relay through and was delivered.

At the moment the server appears to be completely open to all. Am i doing something wrong?

It's not an open relay, however we did re-implement pop-before-smtp in dsm 3. This means that any user that successfully checks mail (using pop3 or imap) will be able to send mail for a limited amount of time without further authentication.

That is why, when checking from a computer (or IP if more than one computer share that same IP) that has recently downloaded e-mail you will be able to send mail without authentication.

Rest assured that you server is not an open relay (and any number of the free tests available on the internet will also verify that statement independently).

Please note, this does not change our recomendation that all clients implement SMTP authentication. SMTP Authentication ensures that your mail will always be accepted, without counting on less accurate time based access measures (such as the pop-before-smtp method described above).

If you want to disable pop-before-smtp on your server and force all clients to use smtp auth, you can perform the following:

/sbin/service pop-before-smtp stop
/sbin/chkconfig pop-before-smtp off
rm -f /etc/courier/smtpaccess/pbs
/usr/lib/courier/sbin/makesmtpaccess

However, leaving the configuration at its default does not make your server an open-relay. Infact, the new pop-before-smtp we released with dsm3 actually logs more data regarding the true source of all messages than previous versions that were available with dsm 2.x (on some OSes). This makes finding spammers much easier if and when they do use one of your accounts to send spam messages.

cool no problem then, thanks for your reply.