Please Whitelist This Site?
I know everyone hates ads. But please understand that I am providing premium content for free that takes hundreds of hours of time to research and write. I don't want to go to a pay-only model like some sites, but when more and more people block ads, I end up working for free. And I have a family to support, just like you. :)
If you like The TCP/IP Guide, please consider the download version. It's priced very economically and you can read all of it in a convenient format without ads.
If you want to use this site for free, I'd be grateful if you could add the site to the whitelist for Adblock. To do so, just open the Adblock menu and select "Disable on tcpipguide.com". Or go to the Tools menu and select "Adblock Plus Preferences...". Then click "Add Filter..." at the bottom, and add this string: "@@||tcpipguide.com^$document". Then just click OK.
Thanks for your understanding!
Sincerely, Charles Kozierok
Author and Publisher, The TCP/IP Guide
NOTE: Using software to mass-download the site degrades the server and is prohibited.
If you want to read The TCP/IP Guide offline, please consider licensing it. Thank you.
|| The TCP/IP Guide|
9 TCP/IP Application Layer Protocols, Services and Applications (OSI Layers 5, 6 and 7)
9 TCP/IP Key Applications and Application Protocols
9 TCP/IP File and Message Transfer Applications and Protocols (FTP, TFTP, Electronic Mail, USENET, HTTP/WWW, Gopher)
9 TCP/IP Electronic Mail System: Concepts and Protocols (RFC 822, MIME, SMTP, POP3, IMAP)
9 TCP/IP Electronic Mail Delivery Protocol: The Simple Mail Transfer Protocol (SMTP)
SMTP Security Issues
(Page 2 of 2)
Common SMTP Server Security Techniques
Despite this obvious problem, efforts
to implement a general security mechanism in SMTP have been resisted
for two main reasons. First, there is no foolproof way to retrofit a
new security mechanism onto something as widely used as SMTP without
creating incompatibilities between newer and older systems. Second,
many administrators were reluctant to completely do away with the general
notion of cooperation between sites that has helped make the Internet
so successful, simply due to a few bad apples.
Still, something had to be done.
The compromise was for system administrators to tighten up
their SMTP servers through the imposition of both technical and policy
changes. Naturally, these vary from one organization to another. Some
of the more common SMTP security provisions include:
- Checking the IP address of a device attempting
connection and refusing to even start an SMTP session unless it is in
a list of authorized client devices.
- Restriction of certain commands or features,
such as e-mail relaying, to authorized users or client servers. This
is sometimes done by requiring authentication via the SMTP
extension AUTH before the command
will be accepted.
- Limiting the use of commands such as EXPN
to prevent unauthorized users from determining the e-mail addresses
of users on mailing lists.
- Checking the validity of envelope information
before accepting a message for delivery. Some servers will first verify
that the originator's e-mail address is valid before agreeing to accept
the MAIL command. Many will check the recipient's address and
refuse the message if delivery is not to a local mailbox. Others use
even more advanced techniques.
- Limiting the size of e-mail messages that may
be sent or the number that may be sent in a given period of time.
- Logging all access to the server to keep records
of server use and check for abuse.
Because of all the abuse in recent
years, you will find that most SMTP servers implement these or other
features, even though most of those features are not formally defined
by the SMTP standards. They are instead enhancements built into individual
SMTP server software packages.
Some of these measures can actually
get quite sophisticated. For example, the SMTP server run by pair Networks,
the great Web hosting company I have used for years, uses POP-before-SMTP
authentication. This means that before the server will accept
outgoing mail from the user via SMTP, the user must first log in to
check incoming mail using the Post
Office Protocol. Since POP includes authentication,
successful POP login tells the server the user is authorized. This flips
a switch in the server that allows the user to access the SMTP
service after that login for a limited period of time. If this seems
convoluted, well, you start to get an idea of the hassle that spammers
and hackers have created for Internet service providers today.
It's also worth noting that SMTP
does not include any mechanism for encryption to ensure the privacy
of e-mail transmissions. Users requiring security in who sees their
messages must use a separate encryption scheme to encode the body of
the message prior to submission.
Key Concept: SMTP was designed in an era where internet security was not much of an issue; as a result, the base protocol includes no security mechanism at all. Since e-mail is so often abused today, most modern SMTP servers incorporate one or more security features to avoid problems.
|If you find The TCP/IP Guide useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider purchasing a download license of The TCP/IP Guide. Thanks for your support!|
Table Of Contents - Contact Us
The TCP/IP Guide (http://www.TCPIPGuide.com)
Version 3.0 - Version Date: September 20, 2005
© Copyright 2001-2005 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.