diff --git a/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml b/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml
index 39c53d56d4..150a3fe1d6 100644
--- a/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml
+++ b/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml
@@ -302,6 +302,7 @@
              register for nat handling -->
         <!-- <param name="NDLB-received-in-nat-reg-contact" value="true"/> -->
         <param name="auth-calls" value="$${internal_auth_calls}"/>
+        <!-- <param name="auth-messages" value="false"/> -->
         <!-- Force the user and auth-user to match. -->
         <param name="inbound-reg-force-matching-username" value="true"/>
         <!-- on authed calls, authenticate *all* the packets not just invite -->
diff --git a/src/mod/endpoints/mod_sofia/mod_sofia.h b/src/mod/endpoints/mod_sofia/mod_sofia.h
index 2690f0ee32..bb09f2d95c 100644
--- a/src/mod/endpoints/mod_sofia/mod_sofia.h
+++ b/src/mod/endpoints/mod_sofia/mod_sofia.h
@@ -198,6 +198,7 @@ typedef enum {
 
 typedef enum {
 	PFLAG_AUTH_CALLS,
+	PFLAG_AUTH_MESSAGES,
 	PFLAG_BLIND_REG,
 	PFLAG_AUTH_ALL,
 	PFLAG_FULL_ID,
diff --git a/src/mod/endpoints/mod_sofia/sofia.c b/src/mod/endpoints/mod_sofia/sofia.c
index cdaafff755..9630522fff 100644
--- a/src/mod/endpoints/mod_sofia/sofia.c
+++ b/src/mod/endpoints/mod_sofia/sofia.c
@@ -4198,6 +4198,10 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name)
 						if (switch_true(val)) {
 							sofia_set_pflag(profile, PFLAG_AUTH_CALLS);
 						}
+					} else if (!strcasecmp(var, "auth-messages")) {
+						if (switch_true(val)) {
+							sofia_set_pflag(profile, PFLAG_AUTH_MESSAGES);
+						}
 					} else if (!strcasecmp(var, "extended-info-parsing")) {
 						if (switch_true(val)) {
 							sofia_set_pflag(profile, PFLAG_EXTENDED_INFO_PARSING);
diff --git a/src/mod/endpoints/mod_sofia/sofia_presence.c b/src/mod/endpoints/mod_sofia/sofia_presence.c
index a2b2903933..0d4e3bb0b9 100644
--- a/src/mod/endpoints/mod_sofia/sofia_presence.c
+++ b/src/mod/endpoints/mod_sofia/sofia_presence.c
@@ -4367,6 +4367,7 @@ void sofia_presence_handle_sip_i_message(int status,
 										 sofia_dispatch_event_t *de,
 										 tagi_t tags[])
 {
+
 	if (sip) {
 		sip_from_t const *from = sip->sip_from;
 		const char *from_user = NULL;
@@ -4386,6 +4387,47 @@ void sofia_presence_handle_sip_i_message(int status,
 			channel = switch_core_session_get_channel(session);
 		}
 
+		if (sofia_test_pflag(profile, PFLAG_AUTH_MESSAGES) && sip){
+			sip_authorization_t const *authorization = NULL;
+			auth_res_t auth_res = AUTH_FORBIDDEN;
+			char keybuf[128] = "";
+			char *key;
+			size_t keylen;
+			switch_event_t *v_event = NULL;
+
+			key = keybuf;
+			keylen = sizeof(keybuf);
+
+			if (sip->sip_authorization) {
+				authorization = sip->sip_authorization;
+			} else if (sip->sip_proxy_authorization) {
+				authorization = sip->sip_proxy_authorization;
+			}
+
+			if (authorization) {
+				char network_ip[80];
+				sofia_glue_get_addr(de->data->e_msg, network_ip, sizeof(network_ip), NULL);
+				auth_res = sofia_reg_parse_auth(profile, authorization, sip, de,
+												(char *) sip->sip_request->rq_method_name, key, keylen, network_ip, NULL, 0,
+												REG_INVITE, NULL, NULL, NULL);
+			} else if ( sofia_reg_handle_register(nua, profile, nh, sip, de, REG_INVITE, key, keylen, &v_event, NULL)) {
+				if (v_event) {
+					switch_event_destroy(&v_event);
+				}
+
+				goto end;
+			}
+
+			if ((auth_res != AUTH_OK && auth_res != AUTH_RENEWED)) {
+				nua_respond(nh, SIP_401_UNAUTHORIZED, NUTAG_WITH_THIS_MSG(de->data->e_msg), TAG_END());
+				goto end;
+			}
+
+			if (channel) {
+				switch_channel_set_variable(channel, "sip_authorized", "true");
+			}
+		}
+
 		if ((us = sofia_glue_get_unknown_header(sip, "X-FS-Sending-Message")) && !strcmp(us, switch_core_get_uuid())) {
 			switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_WARNING, "Not sending message to ourselves!\n");
 			nua_respond(nh, SIP_503_SERVICE_UNAVAILABLE, NUTAG_WITH_THIS_MSG(de->data->e_msg), TAG_END());