Connection settings
- Host
- your-pmta-hostname.example.com
- Port
- 587
- Security
- STARTTLS
PowerMTA (PMTA) is a commercial high-volume MTA used for transactional and marketing email. By default it accepts injection only from 127.0.0.1 on port 25 without authentication — remote clients cannot relay. To test SMTP submission from an external tool like SMTP Tester, you need to configure a listener, TLS, authentication, and relay permissions.
Recommended settings
- Host: your server's public hostname (must match the TLS certificate)
- Port: 587 (STARTTLS) — or whatever port you configured with
smtp-listener - Security: STARTTLS
- Auth method: PLAIN or LOGIN (both supported; depends on your
authentication-methodsetting) - Username/password: as defined in your
<smtp-user>block
Configuring a submission listener
Add a listener directive to your PowerMTA configuration file (typically /etc/pmta/config):
smtp-listener 0.0.0.0:587
This tells PMTA to accept connections on port 587 from any IP. For TLS, also configure:
smtp-server-tls-certificate /etc/pmta/certs/mail.example.com.pem
smtp-server-tls-key /etc/pmta/certs/mail.example.com.key
Enable STARTTLS on the listener by ensuring allow-starttls is not set to false (it defaults to enabled when a certificate is present).
After making changes, restart PowerMTA:
pmta reload
Setting up smtp-user authentication
Define one or more SMTP users that remote injectors authenticate as:
<smtp-user injector1>
password s3cureP@ss
authentication-method password
</smtp-user>
Then create a source block that links authenticated sessions to relay permissions:
<source {auth}>
smtp-service yes
always-allow-relaying yes
require-auth true
</source>
The {auth} source matches any connection that has successfully authenticated. always-allow-relaying yes allows those sessions to send to external domains (without it, PMTA only accepts mail for local domains). require-auth true on the source block means unauthenticated connections from external IPs cannot relay.
Testing with SMTP Tester
- Set host to your PMTA server's public hostname.
- Port 587, security STARTTLS.
- Username: the
<smtp-user>name (e.g.injector1). Password: the password from that block. - Auth method: PLAIN or LOGIN (both work).
- From: any address your virtual MTA is configured to accept.
- To: an external recipient (permitted if
always-allow-relaying yesis set on the auth source). - Click Run. The transcript shows EHLO → STARTTLS → AUTH → 235.
A 250 Ok after DATA with a PMTA message ID (like 2.0.0 Ok: queued as 11A2B-00001-00) confirms the message entered the queue. Check pmta show queue or PMTA log files for downstream delivery status.
Common errors
535 "Authentication failed"
- The username or password does not match the
<smtp-user>block in your config. - You updated the config but did not run
pmta reload. - Your client is using an auth method the server does not advertise. Check
authentication-methodin the user block.
550 "Relaying denied for recipient"
Authentication succeeded (235), but relay was rejected. Causes:
- The source block for authenticated sessions is missing
always-allow-relaying yes. - The connection matched a different
<source>block that does not allow relay. - The recipient domain is not in your routing tables and PMTA has no default route.
Fix: ensure the <source {auth}> block explicitly permits relaying for authenticated sessions.
Connection refused or timeout
- The listener is not configured on the target port. Verify with
pmta show listeners. - A firewall blocks the port. Open 587 (or your custom port) inbound.
- PMTA is not running. Check
systemctl status pmtaorpmta status.
STARTTLS fails or no TLS offered
- The TLS certificate and key paths are wrong or the files are unreadable by the PMTA user.
- The certificate has expired. SMTP Tester's TLS panel shows the cert expiry date.
allow-starttls falseis set in the config. Remove it or set totrue.
Local injection on port 25 (no auth)
For trusted application servers on the same machine or network, PMTA accepts injection on port 25 from 127.0.0.1 by default without authentication. To test:
- Set host to
127.0.0.1(or the internal IP if testing from a local network). - Port 25, security none (or STARTTLS if you configured TLS on port 25 too).
- Leave credentials empty.
- Relay is allowed by the default
<source 0/0>or your custom trusted-network source.
This is useful for confirming basic injection works before adding remote auth.
Virtual MTAs and source routing
PowerMTA routes messages through virtual MTAs (VMTAs) based on rules in <domain> and <pattern> blocks. After a message enters the queue, the sending IP, DKIM signing, and delivery throttling are determined by the VMTA assignment — not by the injection port or auth user.
If messages are accepted (250) but never delivered, check:
pmta show queue— is mail stuck in a queue?- VMTA binding — does the VMTA have a valid source IP and route?
- DNS — can PMTA resolve the recipient domain's MX records?
- Bounce logs —
pmta show countersfor delivery failures.
TLS certificate notes
SMTP Tester shows the TLS protocol, cipher suite, certificate subject, issuer, and days until expiry in its TLS diagnostics panel. Use this to confirm:
- The certificate subject (CN or SAN) matches the hostname you connected to.
- The cert is issued by a trusted CA (not self-signed — unless you disable certificate validation in Advanced settings for testing only).
- The cert is not expired.
For Let's Encrypt certificates, set up auto-renewal and pmta reload in a cron/systemd timer post-renewal.
Security notes
- Never expose an unauthenticated listener to the public internet. Without
require-auth true, anyone can inject spam through your server. - Use strong passwords for
<smtp-user>blocks. Rotate them if compromised. - Restrict relay by IP in addition to auth where possible (
<source {auth} 10.0.0.0/8>). - SMTP Tester redacts credentials from the transcript — safe to share in support tickets or team chats.
- Monitor PowerMTA's accounting files and bounce logs for signs of unauthorized injection.