maur Wrote:Why it's queued? Shoudn't ask for password?
No. Deliveries directed to local (virtual) domains don't need any password to succeed, or you wouldn't be able to receive mails. Think about it: when someone sends a mail to your domain, their server contacts yours and tries to deliver it. If this delivery was password-protected, then the mail servers of other people wouldn't be able to deliver mails to your domain because they don't have any kind of password to use.
Another issue are deliveries to external domains. These should only be accepted when comming from identified users, because otherwise anyone could use your server to send mails anywhere. Hence, if you repeat the procedure but with an external e-mail, your attempt will be correctly refused because you are not an authenticated user.
maur Wrote:2 question:
legend/actors:
myhost - my vps host with ispcp
admin.myhost.ltd - FQDN of myhost Wink
some-domain-on-host.ltd - domain which are sending spam.
...
I can't find any actual question in here. Nevertheless, the "domain sending spam" is generating the e-mails from inside the server through the "sendmail" command (probably from apache). Hence, there's no authentication going on over them. If you want to enforce people to authenticate, you must disable the sendmail utility and force users to deliver mail through smtp (even from the websites).