SMTP auth
SMTP-Auth (SMTP authentication, also known as ASMTP) is an extension of the ESMTP protocol that enables a mail server to authenticate the client using its user name and password.
Normally only authenticated senders can forward mails via an SMTP-Auth-capable server, which helps to prevent the misuse of the mail server for spam . Forwarding refers to the sending of an e-mail to recipients outside the responsibility of the mail server used (see SMTP relay server ). At the same time, the log files can be used to identify who has used an SMTP server for the mail relay.
RFC 2554 originally defined the SMTP Service Extension for Authentication as a profile from the Simple Authentication and Security Layer (SASL). This resulted in various authentication mechanisms.
According to RFC 4954 of July 2007, the extension only contains one profile from the SASL and specifies its PLAIN mechanism to enable it in conjunction with Transport Layer Security (TLS). The alternative mechanisms in the SASL are only allowed in addition, and the server must now insist on encryption .
The server may therefore offer different authentication mechanisms, from which the client chooses one. The server provides the client then depending on the mechanism a Challenge or has him to continue.
Authentication procedure
Depending on the SMTP server and its configuration, different methods are offered by the server.
PLAIN
The PLAIN authentication is standardized in RFC 4616 . The username (for authorization), username (for authentication) and password are transmitted unencrypted. The three strings are combined in a string and Base64- encoded.
LOG IN
With LOGIN authentication, as with PLAIN authentication, the user name and password are transmitted unencrypted, Base64- coded. In contrast to PLAIN authentication, the two character strings are transmitted in two steps.
CRAM-MD5
The CRAM-MD5 authentication is standardized in RFC 2195 .
SCRAM-SHA-1
The SCRAM-SHA-1 authentication is standardized in RFC 5802 .
NTLM
The authentication takes place via NTLM .
example
The following ESMTP session in clear text and with unencrypted LOGIN procedure demonstrates the authentication. In the case of productive mail servers, the shown transmission of sensitive data in plain text should not be used and, for example , should be switched to encrypted communication before authentication using STARTTLS .
> 220 mail.example.org ESMTP < EHLO example.net > 250-example.org Hello example.net > 250 AUTH CRAM-MD5 LOGIN PLAIN < AUTH LOGIN > 334 VXNlcm5hbWU6 < aGFucw== > 334 UGFzc3dvcmQ6 < c2Nobml0emVsbWl0a2FydG9mZmVsc2FsYXQ= > 235 ok < MAIL FROM:<hans@example.net> > 250 ok < RCPT TO:<fritz@example.org> > 250 ok < DATA > 354 Go ahead. < From:<hans@example.net> < To:<fritz@example.org> < Subject: Hallo < < Hallo Fritz. < . > 250 Mail delivered. < QUIT |
Klartext (base64 decoded) 334 Username: hans 334 Password: schnitzelmitkartoffelsalat |