SMTP Authentication
Encyclopedia
SMTP Authentication, often abbreviated SMTP AUTH, is an extension of the Simple Mail Transfer Protocol
whereby an SMTP client may log in, using an authentication mechanism chosen among those supported by the SMTP server. The authentication extension is mandatory for submission
servers..
in the 70s did not provide for using passwords for sending email messages. Therefore, it has been common to have Open mail relay
s, until they became a plague in the late 90s. Before SMTP AUTH, a relay client had to be identified by IP address
, which is only practical in case email services are provided by the same ISP that provides the connection, or else using specific hacks, such as POP before SMTP
.
John Gardiner Myers published the first draft of SMTP AUTH in 1995, and it has been successively developed and discussed in the IETF along with Mail submission protocol, Extended SMTP
, and SASL
. An older ESMTPA SASL-mechanism is CRAM-MD5
— uses of MD5
in HMAC
are still considered as sound.
IMC
reported 55% open relays in 1998 and less than 1% in 2002.
and the From address agree with the authenticated user-id is particularly important for domains that sign messages using DKIM
.
Keywords ending in "A" such as ESMTPA and ESMTPSA, are provided for the with clause of Received header fields, when messages are received with SMTP-AUTH. "The keywords are provided for statistical or diagnostic purposes" (RFC 3848); they are checked by some clients, e.g. Spamassassin
.
, typically allowing plain text passwords in the latter case only. For example (from rfc4954):
S: 220-smtp.example.com ESMTP Server
C: EHLO client.example.com
S: 250-smtp.example.com Hello client.example.com
S: 250-AUTH GSSAPI DIGEST-MD5
S: 250-ENHANCEDSTATUSCODES
S: 250 STARTTLS
C: STARTTLS
S: 220 Ready to start TLS
... TLS negotiation proceeds.
Further commands protected by TLS layer ...
C: EHLO client.example.com
S: 250-smtp.example.com Hello client.example.com
S: 250 AUTH GSSAPI DIGEST-MD5 PLAIN
C: AUTH PLAIN dGVzdAB0ZXN0ADEyMzQ=
S: 235 2.7.0 Authentication successful
SMTP AUTH can be used also on port 25. Usually, servers reject RCPT TO commands that imply relaying unless authentication credentials have been accepted. The specification recommends that servers issue 530 5.7.0 Authentication required in response to most commands in case the server is configured to require authentication and the client hasn't done it yet. Only servers listening on port 587, or private servers, should be configured that way, not a Message eXchange (MX). However, the historical trait that SMTP is not authenticated by default results in a different behavior with regard to access protocols, in some cases; for example, when using AUTH EXTERNAL after STARTTLS.
Besides the AUTH command, the extension also provides for an AUTH parameter to the MAIL FROM command, so as to allow to distinguish authentication from authorization. That way, a sender can identify itself and transmit several messages during the same session. While the authentication doesn't need to vary, once established, different messages may be sent according to different agreements and hence require different authorization. For example, messages may be relayed on behalf of different users. Use of this parameter is much less popular than using the command to grant relay privileges.
Simple Mail Transfer Protocol
Simple Mail Transfer Protocol is an Internet standard for electronic mail transmission across Internet Protocol networks. SMTP was first defined by RFC 821 , and last updated by RFC 5321 which includes the extended SMTP additions, and is the protocol in widespread use today...
whereby an SMTP client may log in, using an authentication mechanism chosen among those supported by the SMTP server. The authentication extension is mandatory for submission
Mail submission agent
A mail submission agent is a computer program or software agent that receives electronic mail messages from a mail user agent and cooperates with a mail transfer agent for delivery of the mail...
servers..
History
Differently from mail access protocols, the original SMTP specified by Jon PostelJon Postel
Jonathan Bruce Postel was an American computer scientist who made many significant contributions to the development of the Internet, particularly with respect to standards...
in the 70s did not provide for using passwords for sending email messages. Therefore, it has been common to have Open mail relay
Open mail relay
An open mail relay is an SMTP server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users...
s, until they became a plague in the late 90s. Before SMTP AUTH, a relay client had to be identified by IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
, which is only practical in case email services are provided by the same ISP that provides the connection, or else using specific hacks, such as POP before SMTP
POP before SMTP
POP before SMTP or SMTP after POP is a method of authorization used by mail server software which helps allow users the option to send e-mail from any location, as long as they can demonstrably also fetch their mail from the same place....
.
John Gardiner Myers published the first draft of SMTP AUTH in 1995, and it has been successively developed and discussed in the IETF along with Mail submission protocol, Extended SMTP
Extended SMTP
Extended SMTP , sometimes referred to as Enhanced SMTP, is a definition of protocol extensions to the Simple Mail Transfer Protocol standard...
, and SASL
Simple Authentication and Security Layer
Simple Authentication and Security Layer is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses...
. An older ESMTPA SASL-mechanism is CRAM-MD5
CRAM-MD5
In cryptography, CRAM-MD5 is achallenge-response authentication mechanism defined in RFC 2195 based on theHMAC-MD5 MACalgorithm...
— uses of MD5
MD5
The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
in HMAC
HMAC
In cryptography, HMAC is a specific construction for calculating a message authentication code involving a cryptographic hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message...
are still considered as sound.
IMC
Internet Mail Consortium
The Internet Mail Consortium provides information about all the Internet mail standards and technologies. They also prepare that supplement the Internet Engineering Task Force's RFCs....
reported 55% open relays in 1998 and less than 1% in 2002.
Role in the mail transport system
Using a submission agent (MSA), generally on port 587, implies SMTP AUTH. MSA is supported by most software and is recommended, especially to support nomadic users, as several network hubs either block port 25 or use SMTP proxies. The MSA is responsible for ensuring that the message envelope contains good addresses, and may enforce local policies for the From header field. Verifying that the envelope sender (a.k.a. Return-Path) used for SPFSender Policy Framework
Sender Policy Framework is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF...
and the From address agree with the authenticated user-id is particularly important for domains that sign messages using DKIM
DomainKeys Identified Mail
DomainKeys Identified Mail is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message. The association is set up by means of a digital signature which can be validated by recipients...
.
Keywords ending in "A" such as ESMTPA and ESMTPSA, are provided for the with clause of Received header fields, when messages are received with SMTP-AUTH. "The keywords are provided for statistical or diagnostic purposes" (RFC 3848); they are checked by some clients, e.g. Spamassassin
SpamAssassin
SpamAssassin is a computer program released under the Apache License 2.0 used for e-mail spam filtering based on content-matching rules. It is now part of the Apache Foundation....
.
Details
As with all SMTP extensions, SMTP AUTH is advertised in the EHLO response, along with a list of supported authentication methods. These methods may change after issuing STARTTLSSTARTTLS
STARTTLS is an extension to plain text communication protocols, which offers a way to upgrade a plain text connection to an encrypted connection instead of using a separate port for encrypted communication....
, typically allowing plain text passwords in the latter case only. For example (from rfc4954):
S: 220-smtp.example.com ESMTP Server
C: EHLO client.example.com
S: 250-smtp.example.com Hello client.example.com
S: 250-AUTH GSSAPI DIGEST-MD5
S: 250-ENHANCEDSTATUSCODES
S: 250 STARTTLS
C: STARTTLS
S: 220 Ready to start TLS
... TLS negotiation proceeds.
Further commands protected by TLS layer ...
C: EHLO client.example.com
S: 250-smtp.example.com Hello client.example.com
S: 250 AUTH GSSAPI DIGEST-MD5 PLAIN
C: AUTH PLAIN dGVzdAB0ZXN0ADEyMzQ=
S: 235 2.7.0 Authentication successful
SMTP AUTH can be used also on port 25. Usually, servers reject RCPT TO commands that imply relaying unless authentication credentials have been accepted. The specification recommends that servers issue 530 5.7.0 Authentication required in response to most commands in case the server is configured to require authentication and the client hasn't done it yet. Only servers listening on port 587, or private servers, should be configured that way, not a Message eXchange (MX). However, the historical trait that SMTP is not authenticated by default results in a different behavior with regard to access protocols, in some cases; for example, when using AUTH EXTERNAL after STARTTLS.
Besides the AUTH command, the extension also provides for an AUTH parameter to the MAIL FROM command, so as to allow to distinguish authentication from authorization. That way, a sender can identify itself and transmit several messages during the same session. While the authentication doesn't need to vary, once established, different messages may be sent according to different agreements and hence require different authorization. For example, messages may be relayed on behalf of different users. Use of this parameter is much less popular than using the command to grant relay privileges.
Standards
- RFC 3207, SMTP Service Extension for Secure SMTP over Transport Layer Security, Paul Hoffman, February 2002.
- RFC 3848, ESMTP and LMTP Transmission Types Registration, Chris Newman, July 2004.
- RFC 4409, Message Submission for Mail, Randall Gellens and John C. KlensinJohn KlensinDr. John C. Klensin is a computer science professional who is active in Internet-related issues.His career includes 30 years as a Principal Research Scientist at MIT, a stint as INFOODS Project Coordinator for the United Nations University, Distinguished Engineering Fellow at MCI WorldCom, and...
, April 2006. - RFC 4422, Simple Authentication and Security Layer (SASL), Alexey Melnikov and Kurt D. Zeilenga, June 2006.
- RFC 4954, SMTP Service Extension for Authentication, Robert Siemborski and Alexey Melnikov, July 2007.
See also
- E-mail authenticationE-mail authenticationEmail authentication is the effort to equip messages of the email transport system with enough verifiable information, so that recipients can recognize the nature of each incoming message automatically...
- Simple Mail Transfer ProtocolSimple Mail Transfer ProtocolSimple Mail Transfer Protocol is an Internet standard for electronic mail transmission across Internet Protocol networks. SMTP was first defined by RFC 821 , and last updated by RFC 5321 which includes the extended SMTP additions, and is the protocol in widespread use today...
- Mail submission agentMail submission agentA mail submission agent is a computer program or software agent that receives electronic mail messages from a mail user agent and cooperates with a mail transfer agent for delivery of the mail...
- Extended SMTPExtended SMTPExtended SMTP , sometimes referred to as Enhanced SMTP, is a definition of protocol extensions to the Simple Mail Transfer Protocol standard...
- Email client#Port numbers
- Simple Authentication and Security LayerSimple Authentication and Security LayerSimple Authentication and Security Layer is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses...
- Open mail relayOpen mail relayAn open mail relay is an SMTP server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users...
- POP before SMTPPOP before SMTPPOP before SMTP or SMTP after POP is a method of authorization used by mail server software which helps allow users the option to send e-mail from any location, as long as they can demonstrably also fetch their mail from the same place....