SMTP Authentication

NethServer Version: NethServer release 7.9.2009 (final)
Module: eMail 2.31.5
Kernel Release 3.10.0-1160.53.1.el7.x86_64

Hello Nethserver community,

we also use the Nethserver as an e-mail server.
The e-mails are forwarded from the commercial servers to the Nethserver e-mail server, e.g. from GMX.
Then we retrieve them from the nethserver via IMAP and/or POP3.

How to configure that the outgoing server can only be used via SMTP authentication?
Or even better, no authentication from the internal LAN (for system emails from other servers) and authentication from the Internet.

Simply sending from the LAN would also be sufficient in terms of security, so that SMTP authentication would not be absolutely necessary.

It’s just that others can’t use our server as an exit server.

It might also be worth mentioning that the network server is a member of an Active Directory 2016.
The authentication when sending e-mails already works like this, I tested it, but it can also be sent without it.

Or is it enough to configure the firewall.
However, other e-mail servers should be able to transmit e-mails to the network server. If I blocked that, no reception would be possible either. Or am I wrong?

Many greetings,

Hi @HarzDriver

I’d suggest using the old Server Manager

If not installed, you can install it with:

yum install -y nethserver-httpd-admin

Under Email (very far below in the list!) you’ll find:

This should work, the settings are, AFAIK, respected by the newer Cockpit…

My 2 cents


It’s possible with Cockpit too in Email application settings/relay, no need for old server manager.


Thank you for the ultra-quick response.

In the new cockpit it seems to be this.
I have activated it, but you can still send emails from outside via my server.
I tested it with a smartphone via the mobile network.
Otherwise that’s exactly what I want.
However, I had already seen that.
But maybe I didn’t understand something, and that’s why it doesn’t work.

Tick the “trusted networks”, the LAN of NethServer is always in that group.
You could also add in IP or ranges in above in the box.

Any authenticated user can always send mail, if the can connect.

You could, for example, deactivate ports 587 and 465 on your firewall to disallow external access…
Deactivating auth on Port 25 would then completly disallow external sending through your server.

Note: If you have Webmail activated, external sending is still (theoretically) possible…

My 2 cents

1 Like

Can I also specify the network here, such as:

CIDR suffix



That’s how it is set for me.

Do I understand correctly that your NethServer is NOT your Firewall?

If needed, you need to block the ports 465 and 587 from external access on your external firewall…

This would make it impossible for a external user (even if legitimately authenticated) to send mail.
The possibilities are: Ports 587, 25 or 465.
Port 25 is needed for incoming mail.
You can deactivate auth on Port 25.
So clients - even smartphones - can only send when in the LAN, not from external.

You could use a VPN on external devices like notebooks / smartphones…
(You wouldn’t want to block yourself from sending a mail from external, I suppose?)… :slight_smile:

My 2 cents

Exactly, the nethserver is a member server.
Ports 25, 110 and 143 are forwarded to the nethserver (NAT & PAT).
Everything has been working fine for a long time.
Only no foreign users should be allowed to use the server from the outgoing server. :slight_smile:

Yes, I have two VPN servers, but they don’t help here.
Also, I don’t want to go into the VPN first to do something.

We (family) do not need an outgoing email server for normal end devices.
Notebooks, PCs and smartphones use the GMX server as the outgoing email server.
No emails are accepted from a DHCP range anyway.

We only use the nethserver for POP3 and IMAP.
And the e-mail server accepts the e-mails from outside.
That is also OK.

Internally in the LAN, only other servers send e-mail via the nethserver.

The settings in the web interface under “relay” are exactly what I would like if it only worked that way. Mhh…?

That’s fine if it works…

In Switzerland, if possible, we prefer to use own own Mailsystems, to avoid tracking, and misusing data for advertising.

We don’t use clouds if possible, unless it’s your own…

My 2 cents

PS: I do have similiar settings for some clients, it is working…
Maybe check / double-check all involved systems (Firewall, other NethServers) especially DNS, Mail and maybe also Firewalling…

Your mileage may vary, but you should get there! :slight_smile:

1 Like

I once added the whole range of servers.
You could not specify an IP range.
Maybe it only works in this combination?
Maybe I should boot the server?

But, I’m in the right place here in the web interface, it seems.
It could have been that I’m on the wrong track, and that only works here if you set up a real relay server.
I have to test this first.
By the way, I don’t need a smart host.
But that would be even worse, then someone could send spam through my server, which is also accepted.
Now someone can send mails that are not accepted anyway (because of the DHCP area).

Thank you first.
I’ll test everything again and report back.

Again for understanding.
The settings are independent of whether I set up a relay-host, right?
Or do they only work with a relay host?

I could have saved myself from entering the IP addresses. hehe
“Allow relay from trusted networks” is probably sufficient.

These settings are independent from a “relay host”.

1 Like

It’s what I need then, now I just need to figure out why it’s not working on this server.

Thank you very much very nice…

Maybe it’s just as germans like to say:

Reboot tut immer gut!

(A reboot is always good)


And that’s not only valid for Windows…

My 2 cents

1 Like

I guess I just tested wrong.
If I take an e-mail address from the server, then it works even without an account and password for the outgoing mail server.
Sure, that’s as if another mail server wants to transfer an email.

If I use a third-party e-mail address as the recipient, a message comes up immediately from my mail server that it is not allowed.

If I enter the password and username for the e-mail account, I can send to other “foreign” e-mail addresses.
Everything as desired. At least that’s a quick test.

However, the relay does not work in the local network, but it should also work without a username and password.
But that’s not bad, since I can specify a password for most services.
And where it doesn’t work, I still have a purely internal mail server that can still be used for such purposes.

Aquamail with Android:

I fully understand this and I agree :slight_smile: Dont get me wrong, clouds have ( sometimes significant ) benefits over traditional infrastructure, but - from security POV - its expressway to disaster.

I think I know which one you are talking about. Im also long-time paying user of this system. There is NO better mail system out there :slight_smile: Tested many.