sendmail (security) problem
 

I've configured sendmail based on the howto on LQ.org by SiegeX
got it working, so I can send mail from outside of the server
when I authenticate the server sends the mail as it should, this part is ok
the problem begins, when in the client(thunderbird) I disable the option use username and password, and change the mail address a bit from user@host.com to user666@host.com
and the server sends the mail anyway, this is not right
the first thing is that it should not(i don' want it to) send mail if the user doesn't authenticate
the seconf thing is, user666 user or alias doesn't even exist on the system and it also shouldn't be able to send mail through my server
sure i have added only trusted IPs to RELAY, but anyway i feel it is a bit more vulnerable

so is there a way to tell the server not to send mail if the user hasn't authenticated?
and also tell it if the user or mail alias doesn't exist not to send it either?

I don't know, but recommend fetchmail or qmail instead.

You can force authentication (there's info at http://www.sendmail.org/~ca/email/auth.html#authop), but it's not recommended unless your mail server is only being used by your users. If it's being used to receive mail from users at other domains, it won't work because they can't authenticate.

As far as I can tell the only way to do what you're talking about is to have 2 mail servers. The first would be for your users and would allow them to relay to other domains, but would require SMTP AUTH. The second is to receive mail for your domain from other domains, it would not require SMTP AUTH.

and thats exactly what I want
only my users can use my mail server and no one else
because now I can delete the IP range relaying
when i specified i.e. 198.15 RELAY
and only those within this IP range could relay through the server
the problems began when someone of my users went abroad and couldn't send mail through it anymore