protocols - how to determine who sent request to my smtp server: mail-client (such as outlook) or other smtp servers

Question

I am developing smtp server and there is a question i don't understand about smtp handshake.

#1. mail client (outlook) -> My SMTP Server EHLO - AUTH - FROM - TO - DATA - QUIT It is smtp relay request. My smtp server takes the request and delivers the mail to other mail server.

#2. Other SMTP Server -> My SMTP Server EHLO - FROM - TO - DATA - QUIT I understood smtp flow between SMTP servers as follows. AUTH command is not necessary in this case, because AUTH command is for authentication for client to send request relay to smtp server.

#1, #2 are the flow of SMTP that i understand. What I'm curious about is how does my smtp server determine whether this request is from a client or a server. I want to decide whether to do the AUTH command through it.

If my thoughts are wrong, don't laugh too much and i ask for a kind explanation. Thank you.

question from:https://stackoverflow.com/questions/65856666/how-to-determine-who-sent-request-to-my-smtp-server-mail-client-such-as-outloo

Answer 1

The usual modern solution is to separate SMTP submission from regular SMTP transmission traffic, and require authentication for the former, but not the latter.

The latter should only accept inbound traffic for domains you are MXing for, and run on port 25.

Regular users should be blocked from using port 25 (your ISP or corporate firewall probably already does this) and use port 587 for message submission. (Some legacy systems still use 465, but you should not.)

In actual practice, you would check at MAIL FROM whether the sender is internal, in which case reject if they are not authenticated; and otherwise, check in RCPT TO if all recipients are internal, and reject the ones which are not.

See RFC 6409 for the SMTP submission spec, and RFC 8314 for related security recommendations.