Tuesday, November 23, 2010

Why the SMTP service requires a list of From Addresses when using SMTP Authentication

12/6/10 - IMPORTANT UPDATE - As of December 6, 2010, the SMTP service NO LONGER requires a list of From Addresses when using SMTP Authentication. You can disregard this blog post, which was originally written on November 23, 2010. If you're interested in a bit of JangoSMTP history though, then feel free to read on!

There are two ways to authenticate into to the JangoSMTP service:
  1. By IP Address of the connecting application
  2. By SMTP authentication with username and password, also known as SMTP-AUTH. This, coupled with a specified From Address allows you to send an email through the SMTP server.
We are often asked why in the latter case it is necessary to specify a From Address. Why is it not enough to authenticate with username and password for an email message to be validated for a particular account?

Some might guess that it's a security issue, to prevent a flood of unauthorized emails being relayed through a user account should the username and password become compromised or end up in the wrong hands.

It's actually not a security issue, but an architectural limitation of the SMTP service that we will soon be fixing. An explanation of this architectural limitation, for interested readers, is below.

The basic limitation is that SMTP username/password authorization is done at the SMTP-transmission level, and once the email arrives, there is nothing inside the email message to indicate what SMTP username was used to allow the email to arrive in the first place. Hence, the system has to key off the From Email Address.

The steps JangoSMTP takes when an email is relayed to the SMTP server are:

  1. At the SMTP level, the email is authenticated by connecting IP address or by SMTP-AUTH. The email must conform one of those two checks in order to arrive. Otherwise, the email will be rejected at the SMTP level with a "we do not relay" error after the RCPT-TO command during the SMTP transaction.
  2. Once the email has arrived, a secondary process analyzes the email file in order to determine to what user account it belongs. First, the connecting IP address, which is present at the top of the file in the "Received" line is matched against IP addresses specified in user accounts, and if a match is found, the email is determined to be of that user account. If there's no match, then the assumption is made that the email arrived via SMTP-AUTH and not by IP Address Authentication. In this case, however, there is nothing in the email file that indicates what SMTP username/password were used to transmit the email message, since the SMTP username/password authentication is done during the SMTP level message transmission. No header within the email file contains the SMTP-AUTH information. It is for this reason that the process must rely on the From Address to determine to what user account the email belongs.

  3. If it cannot be determined to what user account an email message belongs, it is discarded. If it can be determined, then the process continues with the next step.
  4. Next the email message is passed to a web service, where it is disassembled and reassembled order to add open tracking, click tracking, DKIM signing, and other mechanics that JangoSMTP supports.
  5. Lastly the web service passes the email message to an email sending server in order for final transmission to the email recipient.
Fortunately, this will soon change. We are having the SMTP listener modified such that it will write an X-header to the email message containing the SMTP-AUTH username if it was transmitted via SMTP-AUTH. This will allow our process to then key off of the account username to identify a matching user account, rather than having to key off of the From Address. Once this is in place, it will no longer be necessary to specify From Addresses when using the SMTP service.