Please Whitelist This Site?

I know everyone hates ads. But please understand that I am providing premium content for free that takes hundreds of hours of time to research and write. I don't want to go to a pay-only model like some sites, but when more and more people block ads, I end up working for free. And I have a family to support, just like you. :)

If you like The TCP/IP Guide, please consider the download version. It's priced very economically and you can read all of it in a convenient format without ads.

If you want to use this site for free, I'd be grateful if you could add the site to the whitelist for Adblock. To do so, just open the Adblock menu and select "Disable on tcpipguide.com". Or go to the Tools menu and select "Adblock Plus Preferences...". Then click "Add Filter..." at the bottom, and add this string: "@@||tcpipguide.com^$document". Then just click OK.

Thanks for your understanding!

Sincerely, Charles Kozierok
Author and Publisher, The TCP/IP Guide


NOTE: Using software to mass-download the site degrades the server and is prohibited.
If you want to read The TCP/IP Guide offline, please consider licensing it. Thank you.

The Book is Here... and Now On Sale!

The whole site in one document for easy reference!
The TCP/IP Guide

Custom Search







Table Of Contents  The TCP/IP Guide
 9  TCP/IP Application Layer Protocols, Services and Applications (OSI Layers 5, 6 and 7)
      9  TCP/IP Key Applications and Application Protocols
           9  TCP/IP File and Message Transfer Applications and Protocols (FTP, TFTP, Electronic Mail, USENET, HTTP/WWW, Gopher)
                9  TCP/IP Electronic Mail System: Concepts and Protocols (RFC 822, MIME, SMTP, POP3, IMAP)
                     9  TCP/IP Electronic Mail Delivery Protocol: The Simple Mail Transfer Protocol (SMTP)

Previous Topic/Section
SMTP Special Features, Capabilities and Extensions
Previous Page
Pages in Current Topic/Section
1
2
Next Page
SMTP Commands
Next Topic/Section

SMTP Security Issues
(Page 2 of 2)

Common SMTP Server Security Techniques

Despite this obvious problem, efforts to implement a general security mechanism in SMTP have been resisted for two main reasons. First, there is no foolproof way to retrofit a new security mechanism onto something as widely used as SMTP without creating incompatibilities between newer and older systems. Second, many administrators were reluctant to completely do away with the general notion of cooperation between sites that has helped make the Internet so successful, simply due to a few “bad apples”.

Still, something had to be done. The compromise was for system administrators to “tighten up” their SMTP servers through the imposition of both technical and policy changes. Naturally, these vary from one organization to another. Some of the more common SMTP security provisions include:

  • Checking the IP address of a device attempting connection and refusing to even start an SMTP session unless it is in a list of authorized client devices.

  • Restriction of certain commands or features, such as e-mail relaying, to authorized users or client servers. This is sometimes done by requiring authentication via the SMTP extension AUTH before the command will be accepted.

  • Limiting the use of commands such as EXPN to prevent unauthorized users from determining the e-mail addresses of users on mailing lists.

  • Checking the validity of envelope information before accepting a message for delivery. Some servers will first verify that the originator's e-mail address is valid before agreeing to accept the MAIL command. Many will check the recipient's address and refuse the message if delivery is not to a local mailbox. Others use even more advanced techniques.

  • Limiting the size of e-mail messages that may be sent or the number that may be sent in a given period of time.

  • Logging all access to the server to keep records of server use and check for abuse.

Because of all the abuse in recent years, you will find that most SMTP servers implement these or other features, even though most of those features are not formally defined by the SMTP standards. They are instead enhancements built into individual SMTP server software packages.

Some of these measures can actually get quite sophisticated. For example, the SMTP server run by pair Networks, the great Web hosting company I have used for years, uses “POP-before-SMTP authentication”. This means that before the server will accept outgoing mail from the user via SMTP, the user must first log in to check incoming mail using the Post Office Protocol. Since POP includes authentication, successful POP login tells the server the user is authorized. This “flips a switch” in the server that allows the user to access the SMTP service after that login for a limited period of time. If this seems convoluted, well, you start to get an idea of the hassle that spammers and hackers have created for Internet service providers today.

It's also worth noting that SMTP does not include any mechanism for encryption to ensure the privacy of e-mail transmissions. Users requiring security in who sees their messages must use a separate encryption scheme to encode the body of the message prior to submission.

Key Concept: SMTP was designed in an era where internet security was not much of an issue; as a result, the base protocol includes no security mechanism at all. Since e-mail is so often abused today, most modern SMTP servers incorporate one or more security features to avoid problems.



Previous Topic/Section
SMTP Special Features, Capabilities and Extensions
Previous Page
Pages in Current Topic/Section
1
2
Next Page
SMTP Commands
Next Topic/Section

If you find The TCP/IP Guide useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider purchasing a download license of The TCP/IP Guide. Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

The TCP/IP Guide (http://www.TCPIPGuide.com)
Version 3.0 - Version Date: September 20, 2005

Copyright 2001-2005 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.