Provider setup

PowerMTA SMTP test — listeners, smtp-user, and submission on 587

Test PowerMTA (PMTA) SMTP injection. Configure smtp-listener, smtp-user, authenticated sources, STARTTLS on 587, and verify relay with SMTP Tester.

5 min read Credentials redacted No signup

Connection settings

Host
your-pmta-hostname.example.com
Port
587
Security
STARTTLS

PowerMTA (PMTA) is a commercial high-volume MTA used for transactional and marketing email. By default it accepts injection only from 127.0.0.1 on port 25 without authentication — remote clients cannot relay. To test SMTP submission from an external tool like SMTP Tester, you need to configure a listener, TLS, authentication, and relay permissions.

Recommended settings

Configuring a submission listener

Add a listener directive to your PowerMTA configuration file (typically /etc/pmta/config):

smtp-listener 0.0.0.0:587
        

This tells PMTA to accept connections on port 587 from any IP. For TLS, also configure:

smtp-server-tls-certificate /etc/pmta/certs/mail.example.com.pem
        smtp-server-tls-key /etc/pmta/certs/mail.example.com.key
        

Enable STARTTLS on the listener by ensuring allow-starttls is not set to false (it defaults to enabled when a certificate is present).

After making changes, restart PowerMTA:

pmta reload
        

Setting up smtp-user authentication

Define one or more SMTP users that remote injectors authenticate as:

<smtp-user injector1>
          password s3cureP@ss
          authentication-method password
        </smtp-user>
        

Then create a source block that links authenticated sessions to relay permissions:

<source {auth}>
          smtp-service yes
          always-allow-relaying yes
          require-auth true
        </source>
        

The {auth} source matches any connection that has successfully authenticated. always-allow-relaying yes allows those sessions to send to external domains (without it, PMTA only accepts mail for local domains). require-auth true on the source block means unauthenticated connections from external IPs cannot relay.

Testing with SMTP Tester

  1. Set host to your PMTA server's public hostname.
  2. Port 587, security STARTTLS.
  3. Username: the <smtp-user> name (e.g. injector1). Password: the password from that block.
  4. Auth method: PLAIN or LOGIN (both work).
  5. From: any address your virtual MTA is configured to accept.
  6. To: an external recipient (permitted if always-allow-relaying yes is set on the auth source).
  7. Click Run. The transcript shows EHLO → STARTTLS → AUTH → 235.

A 250 Ok after DATA with a PMTA message ID (like 2.0.0 Ok: queued as 11A2B-00001-00) confirms the message entered the queue. Check pmta show queue or PMTA log files for downstream delivery status.

Common errors

535 "Authentication failed"

550 "Relaying denied for recipient"

Authentication succeeded (235), but relay was rejected. Causes:

Fix: ensure the <source {auth}> block explicitly permits relaying for authenticated sessions.

Connection refused or timeout

STARTTLS fails or no TLS offered

Local injection on port 25 (no auth)

For trusted application servers on the same machine or network, PMTA accepts injection on port 25 from 127.0.0.1 by default without authentication. To test:

This is useful for confirming basic injection works before adding remote auth.

Virtual MTAs and source routing

PowerMTA routes messages through virtual MTAs (VMTAs) based on rules in <domain> and <pattern> blocks. After a message enters the queue, the sending IP, DKIM signing, and delivery throttling are determined by the VMTA assignment — not by the injection port or auth user.

If messages are accepted (250) but never delivered, check:

TLS certificate notes

SMTP Tester shows the TLS protocol, cipher suite, certificate subject, issuer, and days until expiry in its TLS diagnostics panel. Use this to confirm:

For Let's Encrypt certificates, set up auto-renewal and pmta reload in a cron/systemd timer post-renewal.

Security notes

Try it on your own server

Run these settings against your SMTP server and watch the live, credential-redacted protocol transcript.

Open SMTP Tester