I want to let POP3 users who authenticate by sending credentials to the mail server send email messages from outside the office, but I want to prevent all other relaying. On my organization's SMTP virtual server, in the Properties dialog box, I select the Only the list below and the Allow all computers which successfully authenticate to relay, regardless of the list above check boxes. However, these selections don't accomplish what I want. When I send an email message from an Outlook Express machine outside the office, I get a 550 5.7.1 unable to relay for <addressee> error. However, if I select the All except the list below check box, everything works smoothly. Why doesn't my initial set of selections work?
Good news: You're close to a working solution. The wording in the Authentication dialog box of the virtual server properties (which you reach by opening the SMTP virtual server's Properties dialog box, selecting the Access tab, and clicking Authentication) is a little confusing. When you select the Only the list below check box, the virtual server accepts relaying only from the specific IP addresses or domains you add to the list. By default, that list is blank. In your case, if you don't add your clients' IP addresses, the server will quite properly reject their mail—you've told the server to reject any relay attempt from computers that aren't on the (empty) list. That's why the process works properly when you select the All except the list below check box.
What about the Allow all computers which successfully authenticate to relay, regardless of the list above check box? Note that the server doesn't know that a machine has successfully authenticated until after that computer has tried to make a POP3 or IMAP4 connection to pick up mail. The behavior you see probably occurs because your users are queuing up email messages to send, then sending the email messages without checking for new email messages first. Overall, however, All except the list below is probably the better choice because you probably won't know your roaming users' IP addresses.