SMTP-AUTH is an extension of the Simple Mail Transfer Protocol (SMTP) to include an authentication step through which the client effectively logs in to the mail server during the process of sending mail. Servers which support SMTP-AUTH can usually be configured to require clients to use this extension, ensuring the true identity of the sender is known. SMTP-AUTH is defined in RFC 4954.
SMTP-AUTH provides an access control mechanism. It can be used to allow legitimate users to relay mail while denying relay service to unauthorized users, such as spammers. It does not guarantee the authenticity of either the SMTP envelope sender or the RFC 2822 "From:" header. For example, spoofing, in which one sender masquerades as someone else, is possible even with SMTP-AUTH.
The SMTP-AUTH extension also allows one mail server to indicate to another that the sender has been authenticated when relaying mail. In general this requires the recipient server to trust the sending server, meaning that this aspect of SMTP-AUTH is rarely used on the Internet. The recipient of an e-mail message cannot tell whether the sender was authenticated, so use of SMTP-AUTH is only a very partial solution to the problem of spam.
While SMTP-AUTH is generally a security improvement over unauthenticated SMTP, it can also introduce a weakness. If authenticated users are allowed to submit messages from IP addresses where unauthenticated users are not — that is, if authenticated users are allowed to relay mail — then an attacker who subverts one user's account is then able to use the authenticated server as an open mail relay. Thus, in such a configuration, every user's password becomes a key to the mail system's security. Spammers have attacked SMTP-AUTH mail servers by bruteforcing common usernames and passwords. A good password policy can effectively prevent such an attack.
- CRAM-MD5 (a SASL mechanism for ESMTPA) RFC 2195
- Simple Authentication and Security Layer (SASL) RFC 4422
- Simple Mail Transfer Protocol (SMTP) RFC 2821
- RFC 4954 - SMTP Service Extension for Authentication (obsoletes RFC 2554 )
- RFC 3848 - SMTP and LMTP Transmission Types Registration (with ESMTPA)
- RFC 4409 - Message Submission for Mail (obsoletes RFC 2476 )
- Negotiating an SMTP AUTH Mechanism (examples)