CSF Firewall RELAY / LOCALHOSTRELAY / AUTHRELAY / LOCALRELAY
RELAY Alert / LOCALHOSTRELAY Alert / AUTHRELAY Alert / LOCALRELAY Alert

Relay Alert
A "Relay Alert", as opposed to the Authrelay, Poprelay, Localrelay, or Localhostrelay alerts, is triggered by "external mail", that is, messages that are coming from another mailserver. Usually these are incoming messages. Although they are not usually indicative of spam being generated within the server, if enough messages are coming from the same IP address quickly enough to trigger this alert type, it is probably worth looking into why they are sending so much mail, and determine if there is anything that needs to be adjusted.

Authrelay Alert
An "Authrelay Alert" is triggered by "email authenticated by SMTP AUTH". This is one method logging into the mailserver to send messages. Most modern mail clients log in by this method. If these messages should not be sent or should not be sent this quickly, then that email address is likely to need a new password, since whoever is sending the messages demonstrably has the current password.

Poprelay Alert
A "Poprelay Alert" is triggered by "email authenticated by POP before SMTP". Some older mail clients authenticate using this method, but it is recommended to use SMTP AUTH instead, in part because it makes the logs clearer which makes it easier to find causes of spam issues or similar if they occur.

Localrelay Alert
A "Localrelay Alert" is triggered by "email sent via /usr/sbin/sendmail or /usr/sbin/exim". This is usually done by scripts. If a script is sending too much mail, it will need to be reconfigured accordingly. If a script is sending mail that it shouldn't, it will need to be disabled or fixed so that it only sends the messages that it should.

Localhostrelay Alert
A "Localhostrelay Alert" is triggered by "email sent via a local IP address". This means that the message is coming from within the server. If messages are being sent from within the server without authenticating, then changing email passwords will not prevent them from being sent. If the messages are not authorized, the source of the message will need to be found and stopped.

:
https://forums.cpanel.net/threads/di...alerts.612903/