Your site might have “local” client users who are not part of your physical network. When these users submit mail, the message submissions come in from an external IP address—for instance, arbitrary Internet Service Providers. If your users use mail clients that can perform SASL authentication, then their authenticated connections can be distinguished from arbitrary other external connections. The authenticated submissions you can then permit, while denying non-authenticated relay submission attempts. Differentiating between authenticated and non-authenticated connections is achieved using the saslswitchchannel keyword on your inbound SMTP channel, usually the tcp_local channel.
The saslswitchchannel keyword takes an argument specifying the channel to switch to; if an SMTP sender succeeds in authenticating, then their submitted messages are considered to come in the specified switched to channel.
In your configuration file, add a new TCP/IP channel definition with a distinct name; for example:
tcp_auth smtp single_sys mx mustsaslserver noswitchchannel TCP-INTERNAL
This channel should not allow regular channel switching (that is, it should have noswitchchannel on it either explicitly or implied by a prior defaults line). This channel should have mustsaslserver on it.
Modify your tcp_local channel by adding maysaslserver and saslswitchchannel tcp_auth, as shown in the following example:
tcp_local smtp mx single_sys maysaslserver saslswitchchannel \ tcp_auth switchchannel |TCP-DAEMON
With this configuration, SMTP mail sent by users who can authenticate with a local password will now come in the tcp_auth channel. Unauthenticated SMTP mail sent from internal hosts will still come in tcp_internal. All other SMTP mail will come in tcp_local.