SMTP authentication
Mike Easter
transaction while working on a problem about a misconfigured server
which arose in another newsgroup.
The smtp configuration for 3.1.5 (I can't remember if 3.1.4 was the
same) has 4 choices in the smtp password authentication section:
No authentication
Password, transmitted insecurely
Encrypted password
Kerberos/GSSAPI
NTLM
The earthlink server says it wants port 587 and that it doesn't want any
connection security, but it doesn't say anything about encryption of the
pass. It also works on port 25 which it doesn't announce.
So I logged what was available to see (some of the authentication is
left out of the logging) and tried to find out how the server would react.
It accepted the pw transmitted insecurely as well as encrypted, but it
didn't/wouldn't transact with the Kerberos/GSSAPI or NTLM configuration
- instead I got an alert in each of those cases:
Sending of message failed.
The SMTP server smtpauth.earthlink.net does not support the selected
authentication method. Please change the 'Authentication method' in the
'Account Settings | Outgoing Server (SMTP)'.
In the logs, the server 'mentioned' STARTTLS, so I thought I would also
give that a shot. I configured for encrypted pass and connection
security STARTTLS.
That also worked.
The Tbird smtp logs didn't really help me understand any of this. Maybe
that is because of my inexperience in interpreting them.
--
Mike Easter
Greywolf
[...]
> The Tbird smtp logs didn't really help me understand any of this. Maybe
> that is because of my inexperience in interpreting them.
Well, I don't think there's much to understand, really. AFAICT,
earthlink accepts several different authentication methods, is all.
My take on this: You don't really need high-level security on _outgoing_
mail/posts, because you are either who you say you are, or your machine
has been hi-jacked. In the former case, security is pointless, in the
latter it's useless. To ensure that their customers have a seamless
experience, earthlink has apparently configured its servers to accept
messages from the most common clients, all of which have default settings.
HTH
wolf k.
John H Meyers
> The earthlink server says it wants port 587 and that it doesn't want any
> connection security, but it doesn't say anything about encryption of the
> pass. It also works on port 25 which it doesn't announce.
Many ISPs want to phase out SMTP port 25, as they are even blocking
most of their own "home user" customers from using port 25
to reach any other network, and know that other ISPs are reciprocating,
which will block users hooked in anywhere else from reaching their own ISP's server
on that same port. They thus tend to be available on port 587
(where TLS is optional but authentication is still required)
and/or port 465 (where SSL is required and authentication is also required).
All uses of SMTP ports 587 or 465 are supposed to require authentication,
enabling identifying the end user account and selectively
disabling (or "throttling") abused (or over-used) logins,
limiting the "bad reputation" which individual end users
could otherwise cause their ISPs to accrue.
It is on this basis that these ports are generally not blocked,
whereas port 25, the mandated port number for inter-domain email forwarding,
may have _optional_ login for local ISP customers to use with email clients,
but _can not_ require login on those servers designated as receiving points
("mail exchangers") for their domain's incoming mail,
which is what opens the floodgate for hard to track spam,
identifiable only by originating IP address,
and motivates general "outgoing port 25 blocking"
against most private ISP subscribers,
as well as against anything but qualified volume senders (businesses)
or tightly monitored local SMTP servers
being able to send any mail out of each network from port 25.
NTLM authentication is Windows-specific and GSSAPI is complex
("the GSSAPI describes about 45 procedure calls"
http://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface );
both of these are generally employed only in local networks within companies
which have some mechanism for "single sign-on within a controlled domain,"
covering an entire suite of applications and connections
to various servers and services.
The slight difference between the two remaining choices
(is that what's otherwise known as PLAIN vs. LOGIN or perhaps CRAM-MD5 ?)
is IMO not significant, because the word "encrypted" is then
not to be taken seriously (does "base64" count as "encryption"?)
Whenever SSL or TLS is available, that mechanism provides
all the connection security and password encryption needed,
both of which are quite strong, so that's what's generally relied upon
for public use by subscribers to any ISP or web-based mail service,
to protect eavesdropping on logins,
generally on ports 587, 465, or both (smtp.gmail.com listens on both ports
and requires TLS on 587 or SSL on 465, for example).
--
Millwood
> My take on this: You don't really need high-level security on _outgoing_
> mail/posts, because you are either who you say you are, or your machine
> has been hi-jacked. In the former case, security is pointless, in the
> latter it's useless. To ensure that their customers have a seamless
> experience, earthlink has apparently configured its servers to accept
> messages from the most common clients, all of which have default settings.
But usually the smtp authentication is your email authentication - and
you sure don't want that password compromised.
Michael
Earthlink's authentication for outgoing mail is to prevent your account
and mail system from becoming a mail relay point, at least that is what
they told me when I used my laptop to keep in contact while on the road.
Michael