We have a standalone Exchange 2003 server, with the default SMTP Virtual Server authentication config. However, we've recently noticed that using a mail client, if we do not check the Server requires SMTP authentication" option on the client, we can "spoof" senders on our internal email. I mean I can send an email to anyone else in the company and it shows as coming from whomever or whatever mail address I place in the address field. How can I force the server to require authentication from all users even if sending email internally? It works fine externally - won't allow email without authentication, but does not require it internally, which has led to some issues, Thanks for your help.