(My english level is poor, sorry)
I am trying to implement a new mail server in java, multiplatform. Almost every thing is done, but i have a problem in the authentication process.
Every user in the server has four option:
- Can receive mail
- Can send mail
- Can send mail only to own domain users
- Can send mail only to own server users
I have implemented three SMTP authentication mechanisms to do so:
- POP3 before SMTP
- AUTH PLAIN
- AUTH LOGIN
The implementation of the option "Can receive mail" is easy. But the others are not so. When a remote server connects to my SMTP server to send a mail to a local user, it doesn't authenticate, so it can send mail to any user in the server (if is a local user, of course) (if this is not right, tell me please). The rules to permit/deny users to send mail can only be applied if the users authenticates against the server, so if the user doesn't authenticate it will can send mail to all users, omiting those rules, as it were a remote SMTP server. I don't want this.
If I check the MAIL FROM command to check is a local user, and then tell him he must authenticate if he wants to send mails with that address as sender, it works fine too.
But if a local user configure his e-mail client with another address than local, and he doesn't authenticate, it will can send mails without the restrictions. I know why this happens, and i know that that is in that way.
I only want to know if the described processes of verification and operation of the server are correct, and if there is a way to prevent the problem.