SMTP Authentication
Contents
Introduction
SMTP stands for Simple Mail Transport Protocol and is a basic protocol for sending mail from a client to a server or from one server to another. Machines that follow this protocol do not usually use authentication when exchanging mail. The protocol does allow for it, however, and authentication helps to verify that an e-mail message really comes from the address found in the e-mail "From:" field.
One of the advantages of requiring SMTP authentication is that it reduces the introduction of spam onto one's network. When SMTP authentication is enabled, all systems attempting to pass mail to the mail server are required to authenticate with known credentials. Any system unable to produce legitimate credentials, or with incorrect credentials, has its mail rejected. Spammers typically lack credentials within a receiving network, and thus the mail they attempt to send is rejected.
As a part of our continuing effort to reduce spam on the UCR network, Computing & Communications is currently in the process of configuring UCR's e-mail servers to require authentication from all clients connecting from outside of the UCR network. This will prevent spammers from "spoofing", that is, illegitimately using an @ucr.edu e-mail address in the "From:" field, in attempts to bypass other anti-spam measures. Since virtually all forged @ucr.edu e-mail comes from off-campus, requiring authenticated SMTP for off-campus connections should result in a significant decrease in spam.
How it Works
When an individual wishes to send mail, she typically uses an e-mail client, such as Microsoft Outlook, Eudora, or Thunderbird. She composes the e-mail in the client, and then hits "Send". The client has already been configured with an SMTP server to which it hands outgoing mail. When SMTP authentication is required on the SMTP server, the client initializes a connection with the server, and then is immediately asked for credentials authorizing the transfer of mail. If the client possesses such credentials, they are passed to mail server, and checked against a database. If the credentials are legitimate, the client is authenticated and can proceed to pass the e-mail to the server. If the credentials are not found or do not match any within the database, the client is rejected and the connection is terminated without the e-mail being sent.
When a spammer wishes to spoof an internal e-mail address in order to send spam to the UCR network, he composes a spam e-mail using an @ucr.edu address for the "From:" field, and hundreds or thousands of UCR e-mail addresses in the To: or CC: field. When he connects to the UCR e-mail servers to send his mail, his credentials are requested in the same way as above. Since he has no valid UCR credentials, he cannot enter them, and his connection with the server is terminated, without the spam e-mails ever reaching UCR's network.
Effects on the UCR Community
Users on UCR's network will be unaffected by the authentication enabled on UCR's SMTP servers. However, users attempting to send UCR e-mail from off the campus network, whether from home, the road, or on a portable device such as a Treo or Windows Mobile device, will be affected by the change. Computing & Communication recommends different changes, depending on the type of user. Please click on one or more of the links below to learn about the changes you will need to make to continue sending e-mail:
- Home or road (desktop or laptop) users click here
- Handheld portable device (Treo or Windows Mobile) users click here
The addition of authentication to UCR's SMTP servers does require changes for those attempting to send mail from off campus, and Computing & Communications is committed to making the transition as painless as possible. If you have any difficulty with the instructions linked above, or have any further questions, please e-mail Phyllis Bruce (phyllis.bruce@ucr.edu), Manager, Microcomputer Support Group, or contact the Helpdesk at x23555.