Extended SMTP
Encyclopedia
Extended SMTP sometimes referred to as Enhanced SMTP, is a definition of protocol extensions to the Simple Mail Transfer Protocol
standard. The extension format was defined in IETF publication RFC 1869 (1995) which established a general structure for all existing and future extensions.
ESMTP defines consistent and manageable means by which ESMTP clients and servers can be identified and servers can indicate supported extensions.
The main identification feature is for ESMTP clients to open a transmission with the command EHLO (Extended HELLO), rather than HELO (Hello, the original RFC 821 standard). A server will respond with success (code 250), failure (code 550) or error (code 500, 501, 502, 504, or 421), depending on its configuration. An ESMTP server would return the code 250 OK in a multi-line reply with its domain and a list of keywords to indicate supported extensions. A RFC 821 compliant server would return error code 500, allowing ESMTP clients to try either HELO or QUIT.
Each service extension is defined in an approved format in subsequent RFCs and registered with the Internet Assigned Numbers Authority
(IANA). The first definitions were the RFC 821 optional services - SEND, SOML (Send or Mail), SAML (Send and Mail), EXPN, HELP, and TURN. The format of additional SMTP verbs was set and for new parameters in MAIL and RCPT.
Some relatively common keywords (not all of them corresponding to commands) used today are:
The ESMTP format was restated in RFC 2821 (superseding RFC 821) and updated to the latest definition in RFC 5321 in 2008. Support for the EHLO command in servers became mandatory, and HELO designated a required fallback.
Non-standard, unregistered, service extensions can be used by bilateral agreement, these services are indicated by an EHLO message keyword starting with "X", and with any additional parameters or verbs similarly marked.
SMTP commands are case-insensitive. They are presented here in capitalized form for emphasis only. An SMTP server that requires a specific capitalization method is a violation of the standard.
exchange of e-mail
messages containing octets outside the seven-bit ASCII
character set. Prior to the availability of 8BITMIME implementations, mail user agents employed several techniques to cope with the seven-bit limitation, such as binary-to-text encodings (including ones provided by MIME
) and UTF-7
. However, each of these workarounds inflates the required amount of data for transmission of non-ASCII text. Some non-ESMTP servers allowed to use 8 bits, but it is risky to blindly send such data to a server whose 8-bit capabilities are unknown.
In March 2011, 8BITMIME was published as RFC 6152 corresponding to the then new STD
71.
The following servers can be configured to advertise 8BITMIME,but do not fully implement the standard (the striked out text is not correct: the RFC defines bouncing a 8-bit message if it cannot be transferred to a non-8BITMIME peer a valid option (see RFC 6152 section 3), so these servers must be considered fully 8BITMIME-compliant):
, the following servers do not implement the extension:
method based on Domain Name System information.
step through which the client effectively logs in to the mail server
during the process of sending mail. Servers that support SMTP-AUTH can usually be configured to require clients to use this extension, ensuring the true identity of the sender is known. The SMTP-AUTH extension is defined in RFC 4954.
SMTP-AUTH can be used to allow legitimate users to relay mail while denying relay service to unauthorized users, such as spammers. It does not necessarily guarantee the authenticity of either the SMTP envelope sender or the RFC 2822 "From:" header. For example, spoofing
, in which one sender masquerades as someone else, is still possible with SMTP-AUTH unless the server is configured to limit message from-addresses to addresses this AUTHed user is authorized for.
The SMTP-AUTH extension also allows one mail server to indicate to another that the sender has been authenticated when relaying mail. In general this requires the recipient server to trust the sending server, meaning that this aspect of SMTP-AUTH is rarely used on the Internet. The recipient of an e-mail message cannot tell whether the sender was authenticated, so use of SMTP-AUTH is only a very partial solution to the problem of spam.
While SMTP-AUTH is a security improvement over unauthenticated SMTP, it won't eliminate all abuse. Common passwords can be guessed in a brute force attack
. Even a secure password can be stolen if a user's machine is infected, for example, by insecure web browsing. A good password policy
and per-account rate limits on outgoing mail are two very effective countermeasures. Domains that implement these countermeasures for their outgoing mail servers will be much less tempting targets.
Simple Mail Transfer Protocol
Simple Mail Transfer Protocol is an Internet standard for electronic mail transmission across Internet Protocol networks. SMTP was first defined by RFC 821 , and last updated by RFC 5321 which includes the extended SMTP additions, and is the protocol in widespread use today...
standard. The extension format was defined in IETF publication RFC 1869 (1995) which established a general structure for all existing and future extensions.
ESMTP defines consistent and manageable means by which ESMTP clients and servers can be identified and servers can indicate supported extensions.
Extensions
ESMTP is a protocol used to transport internet mail. It is used as both an inter-server transport protocol and (with restricted behavior enforced) a mail submission protocol.The main identification feature is for ESMTP clients to open a transmission with the command EHLO (Extended HELLO), rather than HELO (Hello, the original RFC 821 standard). A server will respond with success (code 250), failure (code 550) or error (code 500, 501, 502, 504, or 421), depending on its configuration. An ESMTP server would return the code 250 OK in a multi-line reply with its domain and a list of keywords to indicate supported extensions. A RFC 821 compliant server would return error code 500, allowing ESMTP clients to try either HELO or QUIT.
Each service extension is defined in an approved format in subsequent RFCs and registered with the Internet Assigned Numbers Authority
Internet Assigned Numbers Authority
The Internet Assigned Numbers Authority is the entity that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System , media types, and other Internet Protocol-related symbols and numbers...
(IANA). The first definitions were the RFC 821 optional services - SEND, SOML (Send or Mail), SAML (Send and Mail), EXPN, HELP, and TURN. The format of additional SMTP verbs was set and for new parameters in MAIL and RCPT.
Some relatively common keywords (not all of them corresponding to commands) used today are:
-
8BITMIME
— 8 bit data transmission, RFC 6152 -
ATRN
— AuthenticatedTURN
for On-Demand Mail RelayOn-Demand Mail RelayOn-Demand Mail Relay is an SMTP extension standardized in RFC 2645 that allows e-mail to be relayed to the recipient after he has been authenticated...
, RFC 2645 -
SMTP-AUTH
— Authenticated SMTP, RFC 4954 -
CHUNKING
— Chunking, RFC 3030 -
DSN
— Delivery status notification, RFC 3461 (See Variable envelope return pathVariable envelope return pathVariable envelope return path is a technique used by some electronic mailing list software to enable automatic detection and removal of undeliverable e-mail addresses...
) -
ETRN
— Extended version of remote message queue starting commandTURN
, RFC 1985 -
HELP
— Supply helpful information, RFC 821 -
PIPELINING
— Command pipelining, RFC 2920 -
SIZE
— Message size declaration, RFC 1870 -
STARTTLS
— Transport layer securitySTARTTLSSTARTTLS is an extension to plain text communication protocols, which offers a way to upgrade a plain text connection to an encrypted connection instead of using a separate port for encrypted communication....Transport Layer SecurityTransport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
, RFC 3207 (2002) -
UTF8SMTP
— Allow UTF-8UTF-8UTF-8 is a multibyte character encoding for Unicode. Like UTF-16 and UTF-32, UTF-8 can represent every character in the Unicode character set. Unlike them, it is backward-compatible with ASCII and avoids the complications of endianness and byte order marks...
encoding in mailbox names and header fields, RFC 5336
The ESMTP format was restated in RFC 2821 (superseding RFC 821) and updated to the latest definition in RFC 5321 in 2008. Support for the EHLO command in servers became mandatory, and HELO designated a required fallback.
Non-standard, unregistered, service extensions can be used by bilateral agreement, these services are indicated by an EHLO message keyword starting with "X", and with any additional parameters or verbs similarly marked.
SMTP commands are case-insensitive. They are presented here in capitalized form for emphasis only. An SMTP server that requires a specific capitalization method is a violation of the standard.
List of supporting servers
- PostfixPostfix (software)In computing, Postfix is a free and open-source mail transfer agent that routes and delivers electronic mail. It is intended as a fast, easier-to-administer, and secure alternative to the widely-used Sendmail MTA....
source code patch may be necessary for RFC 5336 UTF-8 header support. - SendmailSendmailSendmail is a general purpose internetwork email routing facility that supports many kinds of mail-transfer and -delivery methods, including the Simple Mail Transfer Protocol used for email transport over the Internet....
source code patch necessary for UTF8SMTP support - EximEximExim is a mail transfer agent used on Unix-like operating systems. Exim is free software distributed under the terms of the GNU General Public License, and it aims to be a general and flexible mailer with extensive facilities for checking incoming e-mail....
8BITMIME
The 8BITMIME extension was standardized in 1994. It facilitates the transparentTransparency (telecommunication)
In telecommunications, transparency can refer to:#The property of an entity that allows another entity to pass through it without altering either of the entities....
exchange of e-mail
E-mail
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
messages containing octets outside the seven-bit ASCII
ASCII
The American Standard Code for Information Interchange is a character-encoding scheme based on the ordering of the English alphabet. ASCII codes represent text in computers, communications equipment, and other devices that use text...
character set. Prior to the availability of 8BITMIME implementations, mail user agents employed several techniques to cope with the seven-bit limitation, such as binary-to-text encodings (including ones provided by MIME
MIME
Multipurpose Internet Mail Extensions is an Internet standard that extends the format of email to support:* Text in character sets other than ASCII* Non-text attachments* Message bodies with multiple parts...
) and UTF-7
UTF-7
UTF-7 is a variable-length character encoding that was proposed for representing Unicode text using a stream of ASCII characters...
. However, each of these workarounds inflates the required amount of data for transmission of non-ASCII text. Some non-ESMTP servers allowed to use 8 bits, but it is risky to blindly send such data to a server whose 8-bit capabilities are unknown.
In March 2011, 8BITMIME was published as RFC 6152 corresponding to the then new STD
Internet standard
In computer network engineering, an Internet Standard is a normative specification of a technology or methodology applicable to the Internet. Internet Standards are created and published by the Internet Engineering Task Force .-Overview:...
71.
List of supporting servers
At least the following servers advertise the 8BITMIME extension:- Apache JamesApache JamesApache James, aka Java Apache Mail Enterprise Server or some variation thereof, is an open source SMTP and POP3 mail transfer agent and NNTP news server written entirely in Java. James is maintained by contributors to the Apache Software Foundation, with initial contributions by Serge Knystautas....
(since 2.3.0a1) - CitadelCitadel/UXCitadel/UX is a collaboration suite that is descended from the Citadel family of programs which became popular in the 1980s and 1990s as a bulletin board system platform. It is designed to run on open source operating systems such as Linux or BSD...
(since 7.30) - Courier Mail ServerCourier Mail ServerThe Courier mail server is a mail transfer agent server that provides ESMTP, IMAP, POP3, SMAP, webmail, and mailing list services with individual components. It is best known for its IMAP server component....
- ESMTP
- EximEximExim is a mail transfer agent used on Unix-like operating systems. Exim is free software distributed under the terms of the GNU General Public License, and it aims to be a general and flexible mailer with extensive facilities for checking incoming e-mail....
(disabled per default; has to be enabled with the 'accept_8bitmime' configuration directive) - IISInternet Information ServicesInternet Information Services – formerly called Internet Information Server – is a web server application and set of feature extension modules created by Microsoft for use with Microsoft Windows. It is the most used web server after Apache HTTP Server. IIS 7.5 supports HTTP, HTTPS,...
SMTP Service - Lotus Domino
- Maillennium
- Microsoft Exchange ServerMicrosoft Exchange ServerMicrosoft Exchange Server is the server side of a client–server, collaborative application product developed by Microsoft. It is part of the Microsoft Servers line of server products and is used by enterprises using Microsoft infrastructure products...
(as of Exchange Server 2000) - Novell GroupWiseNovell GroupWiseGroupWise is a messaging and collaborative software platform from Novell that supports email, calendaring, personal information management, instant messaging, and document management. The platform consists of the client software, which is available for Windows, Mac OS X, and Linux, and the server...
- PostfixPostfix (software)In computing, Postfix is a free and open-source mail transfer agent that routes and delivers electronic mail. It is intended as a fast, easier-to-administer, and secure alternative to the widely-used Sendmail MTA....
- SendmailSendmailSendmail is a general purpose internetwork email routing facility that supports many kinds of mail-transfer and -delivery methods, including the Simple Mail Transfer Protocol used for email transport over the Internet....
(since 6.57) - GmailGmailGmail is a free, advertising-supported email service provided by Google. Users may access Gmail as secure webmail, as well via POP3 or IMAP protocols. Gmail was launched as an invitation-only beta release on April 1, 2004 and it became available to the general public on February 7, 2007, though...
- SubEtha
- MagicMail
The following servers can be configured to advertise 8BITMIME,
- EximEximExim is a mail transfer agent used on Unix-like operating systems. Exim is free software distributed under the terms of the GNU General Public License, and it aims to be a general and flexible mailer with extensive facilities for checking incoming e-mail....
(eight-bit clean, but does not translate eight-bit messages to seven-bit when relaying to non-8BITMIME peers) - Microsoft Exchange ServerMicrosoft Exchange ServerMicrosoft Exchange Server is the server side of a client–server, collaborative application product developed by Microsoft. It is part of the Microsoft Servers line of server products and is used by enterprises using Microsoft infrastructure products...
2003 advertises 8BITMIME by default, but relaying to a non-8BITMIME peer results in a bounce - qmailQmailqmail is a mail transfer agent that runs on Unix. It was written, starting December 1995, by Daniel J. Bernstein as a more secure replacement for the popular Sendmail program...
(does not translate eight-bit messages to seven-bit when relaying to non-8BITMIME peers, as is required by the RFC)
, the following servers do not implement the extension:
- Microsoft Exchange Internet Mail Service (through version 5.5)
- Netscape Messaging Server 4.15
ETRN
Remote Message Queue Starting is a feature of SMTP that permits a remote host to start processing of the mail queue on a server so it may receive messages destined to it by sending the TURN command. This feature however was deemed insecure and was extended in ESMTP with the ETRN command which operates more securely using an authenticationAuthentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
method based on Domain Name System information.
SMTP-AUTH
The SMTP-AUTH extension provides an access control mechanism. It consists of an authenticationAuthentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
step through which the client effectively logs in to the mail server
Mail transfer agent
Within Internet message handling services , a message transfer agent or mail transfer agent or mail relay is software that transfers electronic mail messages from one computer to another using a client–server application architecture...
during the process of sending mail. Servers that support SMTP-AUTH can usually be configured to require clients to use this extension, ensuring the true identity of the sender is known. The SMTP-AUTH extension is defined in RFC 4954.
SMTP-AUTH can be used to allow legitimate users to relay mail while denying relay service to unauthorized users, such as spammers. It does not necessarily guarantee the authenticity of either the SMTP envelope sender or the RFC 2822 "From:" header. For example, spoofing
E-mail spoofing
Email spoofing is email activity in which the sender address and other parts of the email header are altered to appear as though the email originated from a different source. Because core SMTP doesn't provide any authentication, it is easy to impersonate and forge emails...
, in which one sender masquerades as someone else, is still possible with SMTP-AUTH unless the server is configured to limit message from-addresses to addresses this AUTHed user is authorized for.
The SMTP-AUTH extension also allows one mail server to indicate to another that the sender has been authenticated when relaying mail. In general this requires the recipient server to trust the sending server, meaning that this aspect of SMTP-AUTH is rarely used on the Internet. The recipient of an e-mail message cannot tell whether the sender was authenticated, so use of SMTP-AUTH is only a very partial solution to the problem of spam.
While SMTP-AUTH is a security improvement over unauthenticated SMTP, it won't eliminate all abuse. Common passwords can be guessed in a brute force attack
Brute force attack
In cryptography, a brute-force attack, or exhaustive key search, is a strategy that can, in theory, be used against any encrypted data. Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system that would make the task easier...
. Even a secure password can be stolen if a user's machine is infected, for example, by insecure web browsing. A good password policy
Password policy
A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training...
and per-account rate limits on outgoing mail are two very effective countermeasures. Domains that implement these countermeasures for their outgoing mail servers will be much less tempting targets.
UTF8SMTP
The UTF8SMTP extension allows UTF-8 encoding in mailbox names and header fields. This provides the capability for sending email to internationalized addresses such as Pelé@example.com, δοκιμή@παράδειγμα.δοκιμή, and 测试@测试.测试. This extension is defined in RFC 5336.See also
- EmailEmailElectronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
- CRAM-MD5CRAM-MD5In cryptography, CRAM-MD5 is achallenge-response authentication mechanism defined in RFC 2195 based on theHMAC-MD5 MACalgorithm...
(a SASL mechanism for ESMTPA) RFC 2195 - Simple Authentication and Security LayerSimple Authentication and Security LayerSimple Authentication and Security Layer is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses...
(SASL) RFC 4422 - List of mail servers
- RFC 3516, Internet Message Access ProtocolInternet Message Access ProtocolInternet message access protocol is one of the two most prevalent Internet standard protocols for e-mail retrieval, the other being the Post Office Protocol...
Binary Content Extension
External links
- IANA registry of mail parameters includes service extension keywords
- RFC 1869 SMTP Service Extensions
- RFC 5321 Simple Mail Transfer Protocol
- RFC 4954 - SMTP Service Extension for Authentication (obsoletes RFC 2554)
- RFC 3848 - SMTP and LMTP Transmission Types Registration (with ESMTPA)
- RFC 6409 - Message Submission for Mail (obsoletes RFC 4409, which obsoletes RFC 2476)