SMTPSMTP

Tapu AhmedTapu Ahmed

Jeremy NunnJeremy Nunn

BasicsBasics

Responsible for electronic mail Responsible for electronic mail delivery. delivery.

Simple ASCII protocol that runs on Simple ASCII protocol that runs on top of TCP/IP.top of TCP/IP.

Uses reserved port number 25.Uses reserved port number 25.

SMTP ModelSMTP Model

You want to send an E-Mail from A to B.

Both A and B are simple workstations.

A B

We will first attempt the destination server to see if it will accept mail.

A

Port 25

Server B

If server can accept mail, the client submits.

If, server is busy, client will cancel connection and try again.

A submits source and destination. If both are valid, server gives the go-ahead signal

A B

Our goal is to send a mail from A to B

Step 1

Step 2

Step 3

Send Req

ACK

A Local Mail Server

Send Mail

ACK

A

Local Mail Server

will store and queue

Local Mail Server

DNS QueryDNS Server

Reply with IP address resolution

Step 4

Step 5

Step 6

Server A Server B

REQ

ACK

Server A Server B: receive/stor

e

Send

ACK

Server B B

Ring

ACK

Optional

SMTP protocol exists here, between the two servers and their “jumps.”

The exchange of mails using The exchange of mails using TCP/IP is performed by a TCP/IP is performed by a message message transfer agent transfer agent (MTA). (MTA). – An MTA is responsible for routing An MTA is responsible for routing

mails to their proper destinations.mails to their proper destinations.– MTA uses the Mail Exchange (MX) MTA uses the Mail Exchange (MX)

record from a DNS server to record from a DNS server to determine location.determine location.

In essence, the SMTP protocol In essence, the SMTP protocol describes how two MTAs describes how two MTAs communicate with each other communicate with each other using a single TCP connection.using a single TCP connection.

Sending Host

User A Queue

Local MTA

Local MTA

Local MTA

Relay MTA

Relay MTA

Local MTA

Local MTA

User BUser

Mailboxes

Local MTA

Receiving Host

Across the internet

Queue of mail

Queue of mail

Topics for SMTPTopics for SMTP

SMTP DescriptionSMTP Description– Primarily RFC 821 and 822Primarily RFC 821 and 822– Message formatsMessage formats– ExtensionsExtensions

SMTP ApplicationsSMTP Applications– PurposePurpose– OperationsOperations– Unique problems encountered.Unique problems encountered.

Topics for SMTP Topics for SMTP continuedcontinued

Security and performance issuesSecurity and performance issues– HackingHacking– End-end delivery system End-end delivery system

performanceperformance– Spamming issuesSpamming issues

Looking AheadLooking Ahead– Future standardizationsFuture standardizations

RFC 821RFC 821

A Description of SMTPA Description of SMTP– Objective is to deliver mail reliably Objective is to deliver mail reliably

and efficiently.and efficiently. Points of interestPoints of interest

– Mailing/sendingMailing/sending– ForwardingForwarding– RelayingRelaying– Opening/closingOpening/closing

SMTP ProcedureSMTP Procedure– MAIL commandMAIL command

Clear buffer and get ready to receive Clear buffer and get ready to receive mailmail

Gives sender IDGives sender ID

– RCPT commandRCPT command Gives receiver informationGives receiver information

– DATA commandDATA command Send the dataSend the data

S: MAIL FROM: S: MAIL FROM: group@yahoo.comgroup@yahoo.com R: OKR: OK

S: RCPT TO: S: RCPT TO: person1@yahoo.comperson1@yahoo.com R: OKR: OK

S: RCPT TO: S: RCPT TO: person2@yahoo.comperson2@yahoo.com R: ERROR; no such user hereR: ERROR; no such user here

S: RCPT TO: S: RCPT TO: person3@yahoo.comperson3@yahoo.com R: OKR: OK

S: DATAS: DATA– send mailssend mails– Ending signatureEnding signature

R: OKR: OK

RFC 821 also provides:RFC 821 also provides:– VerificationVerification– SMTP commands and syntax structureSMTP commands and syntax structure– State diagramsState diagrams– Sequencing of commands and repliesSequencing of commands and replies

Extensions:Extensions:– RFC 1869RFC 1869

EHLO commandEHLO command

– MAIL, RCPT, DATA can all receive MAIL, RCPT, DATA can all receive additional values.additional values.

RFC (2)822RFC (2)822

Describes message formatting for SMTP.Describes message formatting for SMTP.– RFC 822 is the standard for the format of RFC 822 is the standard for the format of

internet text messages.internet text messages.– RFC 2822: new standardRFC 2822: new standard

Points of interestPoints of interest– Message specificationsMessage specifications– Date/time specificationsDate/time specifications– Address specificationsAddress specifications– Different RFC extensionsDifferent RFC extensions

Limitations:Limitations:– 998 character/line max. 78 min.998 character/line max. 78 min.– Only ASCII charactersOnly ASCII characters

Header:Header:– Composed of a field nameComposed of a field name– Terminates by a “:”, and ends with Terminates by a “:”, and ends with

CRLF.CRLF. Address Specification:Address Specification:

– Individual or an entire mailboxIndividual or an entire mailbox– Occurs in multiple fields to indicate Occurs in multiple fields to indicate

sender or receiversender or receiver

Date and Time SpecificationDate and Time Specification– Must be semantically valid.Must be semantically valid.– Added on through numerous Added on through numerous

headers.headers. Extensions:Extensions:

– RFC 2045 and 2046RFC 2045 and 2046 Describe mechanisms for transmissionDescribe mechanisms for transmission

SMTP ApplicationsSMTP Applications

Several SMTP applications exist, too numerous Several SMTP applications exist, too numerous to enumerateto enumerate

qmailqmail– Configuration is “unique” (one file to one config Configuration is “unique” (one file to one config

value)value)– Places many files in the root of your systemPlaces many files in the root of your system– Awkward license prevents distributing modified Awkward license prevents distributing modified

source or binariessource or binaries– Developer/owner is a busy guyDeveloper/owner is a busy guy

sendmailsendmail– Past and current versions (8) have been notoriously Past and current versions (8) have been notoriously

insecureinsecure– Remote root exploits, etc.Remote root exploits, etc.

SMTP ApplicationsSMTP Applications

PostfixPostfix– Uses sensible defaultsUses sensible defaults– Good security track recordGood security track record– Easier to configureEasier to configure– Can query LDAP to pick up new/modified Can query LDAP to pick up new/modified

usersusers Microsoft ExchangeMicrosoft Exchange

– Very easy to use on a Windows networkVery easy to use on a Windows network– Integrates with Active Directory (uses LDAP)Integrates with Active Directory (uses LDAP)– Not the best securityNot the best security

Security and Security and PerformancePerformance

Who needs security?Who needs security?– When SMTP was initially developed, little (none When SMTP was initially developed, little (none

maybe?) emphasis was placed on securitymaybe?) emphasis was placed on security– Design was built on the idea of cooperation and trustDesign was built on the idea of cooperation and trust– Didn’t anticipate spamDidn’t anticipate spam

Mail RelayMail Relay– Relay is sending mail from one mail server to anotherRelay is sending mail from one mail server to another– Most SMTP servers didn’t check authenticity of usersMost SMTP servers didn’t check authenticity of users

Security and Security and PerformancePerformance

Bulk mailsBulk mails– Unsolicited bulk mailers take advantage of thisUnsolicited bulk mailers take advantage of this– Decreases performance of server for rightful Decreases performance of server for rightful

usersusers Relay RestrictionsRelay Restrictions

– Verify that the computer is on the server’s Verify that the computer is on the server’s local networklocal network

– Require a local domain return addressRequire a local domain return address– Do not accept mail from other open relay Do not accept mail from other open relay

serversservers

Security and Security and PerformancePerformance

How about a new SMTP?How about a new SMTP?– The problem is obvious, so let’s change The problem is obvious, so let’s change

the protocolthe protocol– No guaranteed way to implement without No guaranteed way to implement without

creating incompatibilitiescreating incompatibilities– We like the idea of cooperationWe like the idea of cooperation– Maybe there’s another wayMaybe there’s another way

Security and Security and PerformancePerformance

Other Security MeasuresOther Security Measures– Limit the use of commandsLimit the use of commands– Check the validity of the envelopeCheck the validity of the envelope– Limit the size of the emailLimit the size of the email– Limit the number of emails that may be sent in a given Limit the number of emails that may be sent in a given

amount of timeamount of time– Log everythingLog everything– POP-before-SMTP AuthenticationPOP-before-SMTP Authentication

Note that SMTP has no mechanism for privacy Note that SMTP has no mechanism for privacy (encryption).(encryption).– This has to be done at a higher level if neededThis has to be done at a higher level if needed– Currently is application specificCurrently is application specific

Future ProjectionsFuture Projections

Current projects include:Current projects include: Sender Policy Framework (SPF)Sender Policy Framework (SPF)

– Only certain servers are allowed to forward mail from certain Only certain servers are allowed to forward mail from certain domain namesdomain names

– Easy to checkEasy to check New DNS Blackhole ListsNew DNS Blackhole Lists

– Narrowly identify specific invalid sendersNarrowly identify specific invalid senders– Will be viable once a large enough number of servers support Will be viable once a large enough number of servers support

thisthis Spam FilteringSpam Filtering

– Intelligent, self-learning softwareIntelligent, self-learning software– Good job of identifying unwanted messages that get throughGood job of identifying unwanted messages that get through

GreylistingGreylisting– Receiving servers make sending servers waitReceiving servers make sending servers wait– Spammers probably won’t come backSpammers probably won’t come back– More time means more chances to add the offender to the More time means more chances to add the offender to the

blackhole listblackhole list