What is SMTP authentication? Secure e-mail against spam

To send threatening letters or unwanted advertising by post, all you need to do is write an incorrect sender address on the envelope. A similar method can be applied to e-mails. According to research done by Kaspersky Lab a few years ago, the biggest source of spam was the US, which accounted for 13.21%. Other notable global phishing events include “Nigerian” scammers with an inheritance scheme, and other large sporting events. SMTP authentication provides basic security to prevent such unsolicited spam and phishing attempts.

What is SMTP authentication?

MTP AUTH prevents an SMTP server from being misused as an open mail relay and distributes spam within a network. The need for this procedure is due to the inherent features of the original 1982 SMTP, which did not provide user authentication by default. For this reason, open mail relays were the norm until about 1997, i.e. mail servers that forward all e-mails regardless of the sender or recipient address. What seems absurd in today’s environment was originally founded for good reason: system errors and server failures were more frequent, so open mail relays could maintain regular traffic even in emergency situations.

However, the widespread use of such unprotected relays led to the proliferation of spam. Morally questionable advertisers and malicious criminals (above all, the notorious “spam king” Sanford Wallace with his Cyberpromo firm) used the open servers with stolen or invented e-mail addresses to distribute spam. The term given to this practice is “mail spoofing”.

Since the servers did not have additional authentication mechanisms at the time, they accepted the spam mails without difficulty and fed them into the network. By using external hardware, the spammers also saved their own resources and so could not be traced back. Furthermore, the constant change of fake addresses made it possible to avoid spam filters. Various countermeasures have been deployed to solve the problem of open mail relays – first SMTP-After-POP and then ESMTP and ASMTP in 1995. By 2005/2006, the number of open mail relays had shrunk from several hundred thousand to a negligible fraction.

Although the situation is no longer as critical as it was then, according to the non-profit organization Spamhaus, spammers are still finding 10 to 20 new open servers in the network per day. Sometimes these are the result of frivolous and inexperienced administrators. However, according to Spamhaus, the problem often lies with poorly configured or cracked firewalls and external security applications – not necessarily with the server configuration itself, as is often the case with small, regional businesses. If an application lets spam mail through, it is forwarded to the server via a local SMTP connection with the IP address of the respective application, which then treats it as trustworthy. Additionally, more and more spammer botnets from “zombified” home computers are used as relays.

Now, open mail relays instrumentalized for spam are usually identified as such after just a few hours or days and then end up on so-called blacklists. This means that even legitimate e-mails end up in the recipient’s spam filter, so that the operator of a mail server must first take care of closing the security hole and then try to delete them from the list to operate normally again. Spammers not only cost businesses money by generating high traffic at the expense of their hardware speed, they can also tarnish a business’s reputation and consume a lot of unnecessary time.

It is for this reason, that all mail servers these days use ESMTP in conjunction with ASMTP. They then always require authentication before using their e-mail service. An optimally configured SMTP relay (also called “smart host”) is a server that only forwards e-mails from senders to third parties if it’s responsible for both parties. In simple language: incoming mails are only sent to registered users, and only those who are authorized to use the mail server can send outgoing mails.

How does ASMTP work?

An essential feature of ASMTP is that e-mails are accepted via port 587/TCP (the SMTP AUTH port), instead of the traditional port 25/TCP. This is a mandatory feature of ESMTP. The protocol contains a selection of authentication mechanisms with different levels of security, which, depending on its configuration, an SMTP server can use in order to check the trustworthiness of the SMTP client.

These authentication mechanisms include the following:

• PLAIN: an authentication via the username and password of the client. Both are transmitted unencrypted and then encoded in the Base64 character set.
• LOGIN: works similarly to PLAIN but the Base64 character set for the username and password are transferred in two steps rather than just one.
• CRAM-MD5: an alternative to PLAIN and LOGIN with a higher level of security according to the challenge-response principle. Since spammers can decode a user’s personal access data relatively quickly from the Base64 character set, the password is not transferred to the server in code or in plain text via this mechanism. Instead, the server provides the client with a kind of computational task that can only be solved with the help of the password. This task changes with each login so spammers cannot misuse data from previous server connections.

Other mechanisms offered include GSSAPI, DIGEST-MD5, MD5, OAUTH10A, OAUTHEBEARER, SCRAM-SHA-1, and NTLM.

How to configure SMTP authentication

In some mail programs such as Mozilla Thunderbird, SMTP authentication is usually configured automatically when a new account is created. If this does not work, you may have to do it manually. In the case of Thunderbird, proceed as follows:

• Right-click on the context menu of your e-mail account and click on “Settings”
• Navigate to “Outgoing server (SMTP)” select your mail server and click “Edit”
• Activate the option “Use username and password” and enter your e-mail address
• Confirm the settings with “OK”

The following are a set of instructions for Outlook:

• Select “Account Settings” in the menu
• Choose your account and click on “Change”
• Select “Further Settings”
• In the newly-opened window, navigate towards “Outgoing Server” and activate the option “My outgoing server (SMTP) requires authentication”
• Check the box titled “Use same settings as my incoming server”
• Confirm it with “OK” and the window will close
• Click on “Next” for Outlook to check the new account settings and click “Close” as soon as the test is complete
• To finalize, click on “Finish” and then “Close”

If you have any questions or problems configuring your mail server or program, contact us and we will be pleased to help.

Source: