Authenticating SMTP Connections

By default, POP3 and IMAP mail clients must always authenticate their users with the mail server before they access the users' mailboxes. However, mail clients do not automatically need to authenticate their users before sending messages through the mail server.

For this reason, SMTP connections pose a potential security risk to Internet mail systems. If a mail system does not require some kind of SMTP authentication, outside users can use the mail server to relay messages. Such is the case with spam. Unauthorized users gain access to a mail server and commandeer the server's resources to relay spam messages.

The NetMail SMTP Agent provides two options to secure SMTP connections:

• SMTP Authentication
• SMTP-after-POP

These options are discussed in the following sections.

SMTP Authentication

The most obvious way to secure SMTP connections is to require SMTP authentication. The Allow Remote Sending for Authenticated Users Only option in the SMTP Agent's UBE Relaying page enables SMTP authentication. If selected, the e-mail client must authenticate through the ESMTP protocol before the SMTP Agent relays its messages to remote recipients. Netscape Communicator and Outlook Express support ESMTP authentication.

When authenticating users to send remote messages, the SMTP Agent compares the username in the message header to the user's username and password in the NMAP Agent context list maintained by the messaging server. For standalone messaging servers, this means the user must belong to a local NMAP context. For distributed messaging servers, this means that the user must belong to an NMAP context for one of the messaging servers in the Internet Services container. If the user is not listed in the context list, the SMTP Agent does not accept the user's connection. For more information on the context list, see the Context property in Configuring the NMAP Agent .

If both SMTP-after-POP and SMTP authentication are enabled, they function as an either/or option. If a mail client does not authenticate through POP or IMAP when downloading mail, it must authenticate using ESMTP before it can send remote messages.

NOTE:  Netscape Communicator 4.0 automatically tries to authenticate users before sending messages through SMTP, regardless of whether SMTP authentication is enabled on the server. You must manually configure Internet Explorer and previous versions of Netscape Communicator to support SMTP authentication.

SMTP-after-POP

SMTP-after-POP is a back door approach to SMTP authentication. Instead of requiring users to authenticate through the SMTP protocol, it requires users to authenticate with the mail server through their POP3 or IMAP client before sending remote messages. This works for most Internet e-mail clients because e-mail clients always check for e-mail (log in) just before sending messages. By leveraging the user's POP or IMAP authentication with the messaging server, administrators avoid needing to configure users' e-mail clients to support SMTP authentication.

The SMTP-after-POP feature includes the username of the person who authenticated with the messaging system in the message header. This helps track spammers who authenticate with a valid username but fake the message header to mask their identity.

SMTP-after-POP option requires the Connection Manager. Connection Manager tracks users who have authenticated through POP or IMAP. When a user tries to send a message through the SMTP Agent, the Connection Manager Agent verifies that the user has previously authenticated with the messaging server through POP or IMAP. The basic process is as follows:

For specific information on creating and configuring Connection Manager, see Connection Manager.