Is there a way to make sure that you need to make outgoing (SMTP) server require authentication before sending email? So that only users on my server have access to it?

Here's the correct lines to have in your /etc/postfix/ to limit SMTP traffic to authenticated hosts:

smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes

### Checks to remove badly formed email
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp:/etc/postfix/helo.regexp, permit
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/var/lib/pop-before-smtp/hosts, reject_unauth_destination

The last line (smtpd_recipient_restrictions) is incomplete but I have several custom routines that I add after the reject_unauth_destination field that don't need to be shared. You can Google for a more "standard" complete listing of fields for this function.

After adding these lines and reloading postfix, go to and have it run the mail server tests on your IP/domain. It will confirm whether you are still an open relay (you have missed something) or whether your server is secure (SMTP Auth is working).

Hope this helps.