Site icon Mailtrap

What the SMTP Authentication Is and Why You Can’t Ignore It

How would you feel if anyone could send emails from your mail server? Greenlight for spammers – no way! That’s why Google and other email service providers protect their servers from unauthorized use. Senders need to authenticate and prove that they have a valid account. If they don’t, the server will reject their request. All of this is possible with SMTP authentication, also known as SMTP AUTH.

Why you shouldn’t use SMTP servers without authentication

Let’s say your company supplies an email address for your employees. However, there is no need for authentication to connect to the email server. So, they don’t have to enter a username and password to send an email. What hazards might this involve? 

Anonymity is the first thing to consider. Everybody using the mail server remains anonymous since he or she doesn’t have to log in with any credentials. This isn’t that big of a deal. But do you really need this sort of anonymity?

Email spoofing is what you should definitely worry about. No SMTP authentication means that it is possible to spoof the sender. In the best case, someone will use your mail server to send unauthorized sales emails. At worst, the spoofer can request personal information from the recipient and use it for identity theft purposes (phishing). 

So, how do you protect the server from spoofing? Earlier, we blogged about email authentication via SPF, DKIM, and DMARC records. Today, let’s talk about authentication mechanisms for the server.

What is SMTP AUTH and how does it work?

SMTP authentication or simply SMTP AUTH is the service extension of the ESMTP. It requires that an email sender (client) must have permission to use the email server. So, only authorized users can send outgoing messages.

Authentication is carried out according to the SASL mechanism. As a rule, servers use the three most common mechanisms: PLAIN, LOGIN, and CRAM-MD5. There are also other options that we’ll talk about later. Now, let’s take a look at authentication in action.

After the SMTP handshake, the client sends the EHLO command to the server. The response is code 250. It is usually attached with additional information, including supported SASL mechanisms. Here is how the SMTP session looks:

S: 220 smtp.mailtrap.io SMTP ready
C: EHLO client.railsware.com
S: 250-smtp.mailtrap.io Hello client.railsware.com
S: 250 AUTH LOGIN PLAIN CRAM-MD5

As an example, we use the fake SMTP server by Mailtrap. It responds positively to most client’s commands. So, we don’t have to worry about any configuration issues. Also, Mailtrap prevents emails from hitting the real mailbox. This means that we won’t spam any real recipient.

Let’s try to authenticate via the LOGIN SASL mechanism. For this, the client sends the AUTH LOGIN command. The server responds with a 334 code and requests a username. Once the client provides it, the server follows up with the request for the password. Eventually, the server replies with 235 - Authentication successful

S: 250 AUTH LOGIN PLAIN CRAM-MD5
C: AUTH LOGIN
S: 334 DYT3jf4sdDR5
C: TXktVXNlcm5hbWU=
S: 334 LIRdf2pekwW3
C: TXktUGFzc3dvcmQ=
S: 235 Authentication successful

DYT3jf4sdDR5 and LIRdf2pekwW3 by the server are the BASE64 encoded texts for “Username” and “Password”, respectively. TXktVXNlcm5hbWU= and TXktUGFzc3dvcmQ= are the client responses that are also BASE64 encoded. 

ESMTP replaced POP-before-SMTP

These days, all mail servers use ESMTP authentication via SASL mechanisms. This type of SMTP AUTH replaced the deprecated POP-before-SMTP authentication. The latter, however, still can be found on some old servers. The idea is to authenticate the user at the POP3 service of the same server and then connect them back to the SMTP. If you need to know how POP3 differs from SMTP, check out our dedicated blog post IMAP vs. POP3 vs. SMTP

This method of authentication is not very secure. Different clients can share the same IP address and authenticate as one user. In addition, the server runs both POP3 and SMTP services on the same system. ESMTP authentication gets an edge since it implements SASL mechanisms.

SASL authentication mechanisms

SMTP authentication mechanisms allow the server to check whether the SMTP client is authorized. They differ in the level of security. As a rule, the server lists which SASL mechanisms it supports as a response to the EHLO command. Most servers support the following options:

S: 250 AUTH LOGIN PLAIN CRAM-MD5
C: AUTH PLAIN
S: 334
C: vHRjyADROPsdSDIROu=
S: 235 Authentication successful

Alternatively, the client can submit the credentials together with the AUTH PLAIN command in one single line:

S: 250 AUTH LOGIN PLAIN CRAM-MD5
C: AUTH PLAIN vHRjyADROPsdSDIROu=
S: 235 Authentication successful
S: 250 AUTH LOGIN PLAIN CRAM-MD5
C: AUTH LOGIN
S: 334 DYT3jf4sdDR5
C: TXktVXNlcm5hbWU=
S: 334 LIRdf2pekwW3
C: TXktUGFzc3dvcmQ=
S: 235 Authentication successful
S: 250 AUTH LOGIN PLAIN CRAM-MD5
C: AUTH CRAM-MD5
S: 334 HSU43fnkj47dskmlSH6dsnjn8ndskjnkjnScdDES=
C: adIBUhb7nsddnKsddsfUN8HkjJNJNsdfJIb4LJNKJ=
S: 235 Authentication successful

CRAM-MD5 provides a higher level of security compared to the plaintext authentication mechanisms, PLAIN and LOGIN. The protocol uses a challenge-response principle. The server sends a challenge string. The client decodes the server challenge and replies with an HMAC (Hash-based Message Authentication Code) calculation using the password as a secret key. After that, the hashed challenge is converted to a string of lowercase hex digits. Also, the client prepends the username and a space character to the string. The server gets this concatenation BASE64-encoded. 

Spoofers cannot:

Now, let’s discover other SASL mechanisms that can be used on SMTP servers:

S: 250-AUTH LOGIN PLAIN XOAUTH XOAUTH2
C: AUTH XOAUTH2 dXNlcj1zb21ldXNlckBleGFtcGxlLmNvbQFhdXRoPUJlY
XJlciB5YTI5LnZGOWRmdDRxbVNSbGNrQJoZG1semRHRXVZMjl0Q2cBAQ==
S: 235 Accepted
S: 250-AUTH GSSAPI NTLM
C: AUTH NTLM
S: 334 ntlm supported
C: TlRMTVNTUAABAAAAt4II4gAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==
S:334 lRMTVNTUAACAAAAFgAWADgAAAA1goriZt7rI6Uq/ccAAAAAAAAAAGwAbABOAAAABQLODgAAAA9FAFgAQwBIAC0AQwBMAEkALQA2ADYAAgAWAEUAWABDAEgALQBDAEwASQAtADYANgABABYARQBYAEMASAAtAEMATABJAC0ANgA2AAQAFgBlAHgAYwBoAC0AYwBsAGkALQA2ADYAAwAWAGUAeABjAGgALQBjAGwAaQAtADYANgAAAAAA
C:TlRMTVNTUAADAAAAGAAYAHwAAAAYABgAlAAAABYAFgBIAAAACAAIAF4AAAAWABYAZgAAABAAEACsAAAANYKI4gUCzg4AAAAPZQB4AGMAaAAtAGMAbABpAC0ANgA2AHQAZQBzAHQARQBYAEMASAAtAEMATABJAC0ANgA2AAZKkK42dvN2AAAAAAAAAAAAAAAAAAAAABvqCZdJZ0NxuuMaNT5PPn5aZ6imuk9cPZkPUjEYNIRezkCGmTwS5G0=
S: 235 Authentication successful

Here is an example:

S: 250-AUTH GSSAPI PLAIN
C: AUTH GSSAPI
S: 334
C: YIICEQYJKoZIhvcSAQICAQBuggIAMIIB/KADAgEFoQMCAQ6iBwMFACAAAACjggETYYIBDzCCAQugAwIBBaENGwtOQURBLktUSC5TRaIjMCGgAwIBAaEaMBgbBHNtdHAbEHNtdHAubmFkYS5rdGguc2Wjgc8wgcygAwIBEKEDAgEJooG/BIG8msq2xygko4Lv0Agu5pW6SEundUbFK5swuopukvx9kTidWULb/Ab490wQbtnKx3lmM3BFvNFvuUyD3zvh9PHggwz7T7eZYSCDaovIL/QZ0ismF3lZejZBSwBhgLDADQuk4nZHbbeoU9Lk+1jzsMJguNh6Ot3G6o8WLqFZoe8pi3NuxzSdjutjg3O9s/fasuSB9T85bq6oIMWGr5HHRNBNUF4x11tK3ytpsVoMNpKng3d4bY8tLgnxxLCmREakgc8wgcygAwIBEKEDAgEBooG/BIG8SPCDQwKGzJfZGg+MgqQquBiGBXA2uy/08gPE19vuTBP7XyL2H4EaVqtl71MeVxExbat/CNAK
3dMXkNqR6VHxZqb+ky8MYMDo452Z1sN6BfIsKcsy2BcYTwFJMtgdn21vTWVHtMPH3wtXPuPFGn3jigjsXiAyytXi1Y4p4Tni+ox5ndlZuqBJGeThVxyZIpCEI+5rWflxDIYVa/8CAcRUPQqoDpQIs5zkwfoPQtTdfRLdph5VxQ79N9PnvnQ=
S: 334 YGwGCSqGSIb3EgECAgIAb10wW6ADAgEFoQMCAQ+iTzBNoAMCARCiRgRE2FBXYUbT0MVIicgLYE/FKy6CcrvfQxZaoxyt05qqxJBL13kqneza/TKe5i0mjsN0Nc90KW/l4rL0eQ76vWMenaE1Lw8=
S: 334
YD8GCSqGSIb3EgECAgIBBAD/////IGqNk7Rz3+kPdzT9oYPRWnQi/ESL0p3EeQ2yNLWArrmdOzxpBwAgAAQEBAQ=
C: Using system username `jas' as authentication identity.
YD8GCSqGSIb3EgECAgIBBAD/////JhNtx+GhzYe54NY92BltbUHD6i02upmatfXUnIGrBR5vT5yuAQAgAGphcwE=
235 OK Authenticated

The SSL connection is required for plaintext mechanisms. Unencrypted credentials can be sent with no issues. All non-plaintext SASL mechanisms do not require SSL/TLS encryption.

SMTP AUTH listening ports

Code 535 – Authentication failed and other SMTP AUTH errors 

The SMTP server can reply both positively and negatively to the AUTH command. Positive response codes are:

The most frequent negative response is 535 - Authentication failed. It’s likely that you’ll be able to fix this error if you know what has caused it.

Besides 535, you may face other errors with the AUTH command:

Code 550 denotes that your email server requires SMTP authentication. It’s mostly a response to the attempt to send a message. For more on SMTP commands and responses, read our dedicated blog post. 

How to test the SMTP authentication

Some time ago we blogged about testing SMTP server with a manual Telnet session. Now, let’s use the Telnet client to test SMTP authentication on your mail server. 

SMTP authentication is what you can use to protect your mail server from spoofing and phishing. At the same time, there are many other threats like Malware, DoS attacks, and so on. Read our blog post to learn how to make SMTP secure and protect against all possible vulnerabilities.

Exit mobile version