My boss had me watch the mail server as he was having an issue trying to send an email. When I was watching I saw a flood of 18 IP addresses sending emails and the "Mercury SMTP Server" window was showing the MAIL FROM: and RECPT TO: being my boss, but I knew that wasn't him trying to send. None of them showed up in Mercury Core Process window, which I thought was pretty strange. I looked in POPFile and there wasn't anything. Then I looked in mercurys.log T 20260219 114324 69970a1f Connection from 149.27.54.54 T 20260219 114324 69970a1f EHLO [149.27.54.54] T 20260219 114325 69970a1f MAIL FROM: <myuser@mydomain.com> T 20260219 114325 69970a1f RCPT TO: <myuser@mydomain.com> T 20260219 114325 69970a1f DATA T 20260219 114328 69970a1f Connection closed with 149.27.54.54, 4 sec. elapsed. I then look at session logging 11:43:43.498: --- 19 Feb 2026, 11:43:43.498 --- 11:43:43.498: Accepted connection from '149.27.54.54', port 25, timeout 25 secs. 11:43:43.498: Connection from 149.27.54.54, Thu Feb 19, 11:43:43 11:43:43.498: << 220 uncuts.com ESMTP server ready.<cr><lf> 11:43:43.826: >> EHLO [149.27.54.54]<cr><lf> 11:43:43.826: << 250-mydomain.com Hello [149.27.54.54]; ESMTPs are:<cr><lf> 11:43:43.826: << 250-TIME<cr><lf> 11:43:43.826: << 250-SIZE<cr><lf> 11:43:43.826: << 250-AUTH CRAM-MD5 LOGIN PLAIN<cr><lf> 11:43:43.826: << 250-AUTH=LOGIN<cr><lf> 11:43:43.826: << 250-STARTTLS<cr><lf> 11:43:43.826: << 250 HELP<cr><lf> 11:43:44.185: >> MAIL FROM: <myuser@mydomain.com><cr><lf> 11:43:44.185: << 250 Sender OK - send RCPTs.<cr><lf> 11:43:44.513: >> RCPT TO: <myuser@mydomain.com><cr><lf> 11:43:44.513: << 250 Recipient OK - send RCPT or DATA.<cr><lf> 11:43:45.154: >> DATA<cr><lf> 11:43:45.154: << 354 OK, send data, end with CRLF.CRLF<cr><lf> 11:43:48.388: >> Received: from pnoebnw ([91.211.97.33]) by 04407.com with MailEnable ESMTP; Thu, 19 Feb 2026 22:43:48 +0500<cr><lf> 11:43:48.388: >> Received: (qmail 33209 invoked by uid 332); 19 Feb 2026 22:43:46 +0500<cr><lf> 11:43:48.435: >> From: myuser@mydomain.com<cr><lf> 11:43:48.435: >> To: myuser@mydomain.com<cr><lf> 11:43:48.435: >> Subject: YOU PERVERT! I RECORDED YOU!<cr><lf> 11:43:48.435: >> Date: Thu, 19 Feb 2026 22:43:48 +0500<cr><lf> 11:43:48.435: >> Message-ID: <332091.332091@04407.com><cr><lf> 11:43:48.435: >> Mime-Version: 1.0<cr><lf> 11:43:48.435: >> Content-type: text/plain;<cr><lf> 11:43:48.435: >> <cr><lf> 11:43:48.435: >> Hello there!<cr><lf> 11:43:48.435: >> <cr><lf> 11:43:48.435: >> Unfortunately, there is some bad news for you.<cr><lf> 11:43:48.435: >> <cr><lf> 11:43:48.435: >> Some time ago, your device was infected with my private trojan, R.A.T (Remote Administration Tool).<cr><lf> 11:43:48.435: >> <cr><lf> 11:43:48.435: >> If you want to find out more about it, simply use Google.<cr><lf> 11:43:48.435: >> <cr><lf> 11:43:48.435: >> My trojan allowed me to access your files, accounts, and your camera.<cr><lf> 11:43:48.435: >> <cr><lf> 11:43:48.435: >> Check the sender of this email; I have sent it from your email account.<cr><lf> 11:43:48.435: >> <cr><lf> 11:43:48.435: >> To ensure you read this email, you will receive it multiple times.<cr><lf> 11:43:48.435: >> <cr><lf> 11:43:48.435: >> You truly enjoy browsing pornographic websites and watching explicit videos while having a lot of kinky fun.<cr><lf> 11:43:48.435: >> <cr><lf> 11:43:48.451: >> I RECORDED YOU (through your camera) SATISFYING YOURSELF!<cr><lf> 11:43:48.451: >> <cr><lf> 11:43:48.451: >> After that, I removed my malware to leave no traces.<cr><lf> 11:43:48.451: >> <cr><lf> 11:43:48.451: >> If you still doubt my serious intentions, it only takes a couple of mouse clicks to share the video of you with your friends, relatives, all email contacts, on social networks, the darknet, and to publish all your files.<cr><lf> 11:43:48.451: >> <cr><lf> 11:43:48.451: >> All you need is $1400 USD in Bitcoin (BTC) transferred to my account.<cr><lf> 11:43:48.451: >> <cr><lf> 11:43:48.451: >> After the transaction is successful, I will proceed to delete everything.<cr><lf> 11:43:48.451: >> <cr><lf> 11:43:48.732: >> I keep my promises.<cr><lf> 11:43:48.732: >> <cr><lf> 11:43:48.732: >> You can easily buy Bitcoin (BTC) here:<cr><lf> 11:43:48.732: >> <cr><lf> 11:43:48.732: >> https://cex.io/buy-bitcoins<lf> 11:43:48.779: >> https://nexo.com/buy-crypto/bitcoin-btc<lf> 11:43:48.779: >> https://bitpay.com/buy-bitcoin/?crypto=BTC<lf> 11:43:48.779: >> https://paybis.com/<lf> 11:43:48.779: >> https://invity.io/buy-crypto<cr><lf> 11:43:48.779: >> <cr><lf> 11:43:48.779: >> Alternatively, simply Google for other exchanges.<cr><lf> 11:43:48.779: >> <cr><lf> 11:43:48.779: >> After that, send the Bitcoin (BTC) directly to my wallet, or install the free software: Atomic Wallet, or Exodus Wallet, then receive and send to mine.<cr><lf> 11:43:48.779: >> <cr><lf> 11:43:48.779: >> My Bitcoin (BTC) address is: 1ACbLBbnmehCJCdUUrdGvHFC4gsDJbiKYc<cr><lf> 11:43:48.779: >> <cr><lf> 11:43:48.779: >> Yes, that's how the address looks, copy and paste my address, it's (cAsE-sEnSEtiVE).<cr><lf> 11:43:48.779: >> <cr><lf> 11:43:48.779: >> You are given no more than 3 days after you have opened this email.<cr><lf> 11:43:48.779: >> <cr><lf> 11:43:48.779: >> Since I have access to this email account, I will know if this email has already been read.<cr><lf> 11:43:48.779: >> <cr><lf> 11:43:48.779: >> Everything will be carried out based on fairness.<cr><lf> 11:43:48.779: >> <cr><lf> 11:43:48.779: >> A piece of advice from me: regularly change all your passwords for your accounts and update your device with the latest security patches.<cr><lf> 11:43:48.779: >> <cr><lf> 11:44:13.780: 8: Socket read timeout 11:44:13.780: >> 11:44:13.780: --- Connection closed at 19 Feb 2026, 11:44:13.780. --- 11:44:13.780: I assume due to the Socket read timeout, that the mail didn't get processed. That I understand. I have "Use strict local relaying restrictions" turned on. I have "Authenticated SMTP connections may relay mail" turned on. I have "Only Authenticated SMTP connections may relay mail" turned on. So after >> MAIL FROM: <myuser@mydomain.com><cr><lf> why do we have << 250 Sender OK - send RCPTs.<cr><lf> ? They haven't authorized yet, this is where I would expect a 550 or something reply to stop further activity. Do I just have a wrong configuration somewhere?

Sorry, should have done a summary.. Is there an option for when MAIL FROM: is a local user and there's been no AUTH that it rejects the connection right then?

Hi ???? do you have all 4 relay controlls checked ? In addition you propably have an AUTH password file activated ? That will take care of not beeing a relay and that all local users must first authenticate to send mail. Will mean, even if the sender uses a local address but has not authenticated it will not be accepted. As for you other question, to block right out not authenticated users, as your sample showed, there is the SMTP-daemon add-on from Rolf which does what you are looking for. Actually I have that installed and it is working as you expect. Take a look at https://community.pmail.com/index.php?u=/topic/6550/smtpevt-event-daemon-for-mercurys You can find that under the list of Add-ons. Johannes