If some of your users travel a lot, they may use various ISPs to connect to the Internet, and as a result they will connect to your Server from various IP addresses. If those users use your Server as the SMTP mail relay to which they submit all outgoing messages, Relay Restrictions will not allow them to send messages when their IP addresses are not in the Client IP Addresses list.
You should not select the "prohibit" for the Logins from Non-Client IP Addresses setting, if you want to support mobile users. Select the Allow option instead.
Most E-mail clients support "SMTP AUTH" - the standard SMTP Authentication method that allows a mailer to authenticate the user (the sender). If the SMTP module receives a message from an authenticated user, the message is marked as being "submitted from a local Account", and this message can be relayed to the Internet.
To allow mobile users with older mailer applications (those not supporting SMTP AUTH) to send messages via the CommuniGate Pro server, the POP, IMAP, and other "access-type" modules check if an authenticated user has connected from an IP address not listed as one of the Client Addresses. During that POP/IMAP session, and for some time after the session is closed, that IP address is considered to be a "Client Address", so that users can send mail via your Server right AFTER they have checked their mail.
The expiration time is used because of the "dynamic IP address" policies of most ISPs: when a user disconnects from an ISP modem pool, and some other user connects to the Internet via the same ISP, the same IP address can be assigned to that other user.
Inform your users about the expiration time. They should compose all their messages off-line, then they should connect to the Internet using any ISP, check their mail on your Server, and only then they can send the queued outgoing messages. If they want to reply to some messages they have just retrieved from the Mailbox on your Server, they should use the Get Mail command in their mailer application again, and only then can they send their replies.
Since many mailer applications try to send queued messages first, the SMTP module checks the Return-Path (the address in the Mail From SMTP protocol command). If that address is an address of a registered user, a to-be-relayed message is not rejected with the "permanent failure" error code. Instead, a "temporary failure" code is returned (with the "try to authenticate first" comment). Many mailers do not interrupt the mail session when they receive such a code, and continue by authenticating the user, retrieving the user mail, and retrying to send the queued messages. The queued messages will be accepted this time, because the user is authenticated from the same address.
An SMTP (message submit) session should start either during a POP or IMAP session, or within the expiration time after the end of the POP/IMAP session. Then that SMTP session can last as long as needed (several hours), if the queued messages are large and the link is slow.
Support for mobile users can be disabled on per-account and