SMTP Authentication, often abbreviated SMTP AUTH, is an extension of the

Simple Mail Transfer Protocol The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typ ...

(SMTP) whereby a client may log in using any authentication mechanism supported by the server. It is mainly used by

submission Deference (also called submission or passivity) is the condition of submitting to the espoused, legitimate influence of one's superior or superiors. Deference implies a yielding or submitting to the judgment of a recognized superior, out of re ...

servers, where authentication is mandatory.

History

SMTP as specified by

Jon Postel Jonathan Bruce Postel (; August 6, 1943 – October 16, 1998) was an American computer scientist who made many significant contributions to the development of the Internet, particularly with respect to Internet Standard, standards. He is known p ...

in the 1970s did not provide for using passwords for sending email messages; each server was by design an

open mail relay An open mail relay is a Simple Mail Transfer Protocol (SMTP) server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users. This used to be the default ...

. As a result,

spam Spam most often refers to: * Spam (food), a consumer brand product of canned processed pork of the Hormel Foods Corporation * Spamming, unsolicited or undesired electronic messages ** Email spam, unsolicited, undesired, or illegal email messages ...

and

worms The World Register of Marine Species (WoRMS) is a taxonomic database that aims to provide an authoritative and comprehensive catalogue and list of names of marine organisms. Content The content of the registry is edited and maintained by scien ...

, while not initially a problem, had become a plague by the late '90s. Before SMTP AUTH, a ''relay client'' had to be identified by

IP address An Internet Protocol address (IP address) is a numerical label such as that is assigned to a device connected to a computer network that uses the Internet Protocol for communication. IP addresses serve two main functions: network interface i ...

, which is only practical for email services provided by the same

Internet service provider An Internet service provider (ISP) is an organization that provides a myriad of services related to accessing, using, managing, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, no ...

(ISP) supplying the connection, or else using specific hacks, such as POP before SMTP. John Gardiner Myers published the first draft of SMTP AUTH in 1995, and it has been successively developed and discussed in the

IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet standard, Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster ...

along with mail submission protocol, Extended SMTP (ESMTP), and

Simple Authentication and Security Layer Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism support ...

(SASL). An older SASL mechanism for ESMTP authentication (ESMTPA) is

CRAM-MD5 In cryptography, CRAM-MD5 is a challenge–response authentication mechanism (CRAM) based on the HMAC-MD5 algorithm. As one of the mechanisms supported by the Simple Authentication and Security Layer (SASL), it is often used in email software as p ...

, and uses of the

MD5 The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function MD4, and was specified in 1992 as Request for Comments, RFC 1321. MD5 ...

algorithm in

HMAC In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a se ...

s (hash-based message authentication codes) are still considered sound. The

Internet Mail Consortium The Internet Mail Consortium (IMC) was an organization between 1996 and 2002 that claimed to be the only international organization focused on cooperatively managing and promoting the rapidly expanding world of electronic mail on the Internet. P ...

(IMC) reported that 55% of mail servers were open relays in 1998, but less than 1% in 2002.

Role in the mail transport system

Using a

mail submission agent A message submission agent (MSA), or mail submission agent, is a computer program or software agent that receives electronic mail messages from a mail user agent (MUA) and cooperates with a mail transfer agent (MTA) for delivery of the mail. It use ...

(MSA), generally on port 587, implies SMTP AUTH. MSA usage is supported by most software and is recommended, especially to support nomadic users, as several network hubs either block port 25 or use SMTP proxies. The MSA is responsible for ensuring that the message envelope contains good addresses, and may enforce local policies for the ''From'' header field. Verifying that the

envelope sender {{Redir, Return path, the term in electronics, Return path (electronics) A bounce address is an email address to which bounce messages are delivered. There are many variants of the name, none of them used universally, including return path, reve ...

(a.k.a. ''Return-Path'') used for SPF and the ''From'' address agree with the authenticated ''user-id'' is particularly important for domains that sign messages using

DKIM DomainKeys Identified Mail (DKIM) is an email authentication method that permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message. The receiver c ...

. Keywords ending in "A" such as ESMTPA and ESMTPSA, are provided for the ''with'' clause of ''Received'' header fields, when messages are received with SMTP AUTH. ''"The keywords are provided for statistical or diagnostic purposes"'' (RFC 3848); they are checked by some clients, e.g.

Spamassassin Apache SpamAssassin is a computer program used for e-mail spam filtering. It uses a variety of spam-detection techniques, including DNS and fuzzy checksum techniques, Bayesian filtering, external programs, blacklists and online databases. It ...

Details

As with all SMTP extensions, SMTP AUTH is advertised in the EHLO response, along with a list of supported authentication methods. These methods may change after issuing

STARTTLS Opportunistic TLS (Transport Layer Security) refers to extensions in plain text communication protocols, which offer a way to upgrade a plain text connection to an encrypted ( TLS or SSL) connection instead of using a separate port for encrypted ...

, typically allowing plain text passwords in the latter case only. RFC 4954 provides the following example ("C:" and "S:" are not part of the protocol, they indicate lines sent by the client and server, respectively): S: 220 smtp.example.com ESMTP Server C: EHLO client.example.com S: 250-smtp.example.com Hello client.example.com S: 250-AUTH GSSAPI DIGEST-MD5 S: 250-ENHANCEDSTATUSCODES S: 250 STARTTLS C: STARTTLS S: 220 Ready to start TLS ''... TLS negotiation proceeds.'' ''Further commands protected by TLS layer ...'' C: EHLO client.example.com S: 250-smtp.example.com Hello client.example.com S: 250 AUTH GSSAPI DIGEST-MD5 PLAIN C: AUTH PLAIN aWxvdmV3aWtpcGVkaWE= S: 235 2.7.0 Authentication successful SMTP AUTH can be used also on port 25. Usually, servers reject RCPT TO commands that imply relaying unless authentication credentials have been accepted. The specification recommends that servers issue ''530 5.7.0 Authentication required'' in response to most commands in case the server is configured to ''require'' authentication and the client hasn't done it yet. Only servers listening on port 587, or private servers, should be configured that way, not a Message eXchange (MX). However, the historical trait that SMTP is not authenticated by default results in a different behavior with regard to access protocols, in some cases; for example, when using AUTH EXTERNAL after STARTTLS. Besides the ''AUTH'' command, the extension also provides for an ''AUTH'' parameter to the ''MAIL FROM'' command, so as to allow to distinguish authentication from authorization. That way, a sender can identify itself and transmit several messages during the same session. While the authentication doesn't need to vary, once established, different messages may be sent according to different agreements and hence require different authorization. For example, messages may be relayed on behalf of different users. Use of this parameter is much less popular than using the command to grant relay privileges. SMTP Authentication is an "extension" in SMTP terms, so it requires server and client to use EHLO verb for greeting to indicate support for extensions, as opposed to the obsolete HELO greeting. For backward compatibility, HELO greeting may be accepted ''when no extension is used''. The capitalized text after the ''AUTH'' command is a list of the types of authorization that the SMTP server will accept. Some examples of authorization protocols include: *PLAIN (Uses Base64 encoding) *LOGIN (Uses Base64 encoding) (obsoleted in favor of PLAIN) *GSSAPI (

Generic Security Services Application Program Interface The Generic Security Service Application Programming Interface (GSSAPI, also GSS-API) is an application programming interface for programs to access security services. The GSSAPI is an IETF standard that addresses the problem of many similar but ...

) *DIGEST-MD5 (

Digest access authentication Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser. This can be used to confirm the identity of a user before sending sensitive info ...

) *

*OAUTH10A (

OAuth OAuth (short for open authorization) is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them the passwords. Th ...

1.0a HMAC-SHA1 tokens as defined in RFC 5849) *OAUTHBEARER (

2.0 bearer tokens as defined in RFC 6750) * XOAUTH2 Gmail's XOAuth2 SASL protocol
/ref>

Standards

*, ''SMTP Service Extension for Secure SMTP over Transport Layer Security'', Paul Hoffman, February 2002. *, ''ESMTP and LMTP Transmission Types Registration'', Chris Newman, July 2004. *, ''Message Submission for Mail'', Randall Gellens and John C. Klensin, November 2011 (obsoletes RFC 4409, from 2006, which in turn replaced RFC 2476, from December 1998). *, ''Simple Authentication and Security Layer (SASL)'', Alexey Melnikov and Kurt D. Zeilenga, June 2006. *, ''The PLAIN SASL Mechanism'', K. Zeilenga, Ed., August 2006. *, ''SMTP Service Extension for Authentication'', Robert Siemborski and Alexey Melnikov, July 2007. *, ''A Set of Simple Authentication and Security Layer (SASL) Mechanisms for OAuth'', W. Mills, T. Showalter and H. Tschofenig, August 2015.

Other

* Erwin Hoffmann
SMTP Authentication [Tutorial]
last edit 2017-01-10.

References