P1: JsY JWBS001A-60.tex WL041/Bidgoli WL041-Bidgoli.cls May 12, 2005 3:27 Char Count= 0 SMTP (Simple Mail Transfer Protocol) Vladimir V. Riabov, Rivier College Introduction 1 SMTP Security Issues 12 SMTP Fundamentals 1 SMTP Vulnerabilities 12 SMTP Model and Protocol 2 SMTP Server Buffer Overflow Vulnerability 15 User Agent 4 Mail Relaying SMTP Vulnerability 15 Sending e-Mail 4 Mail Relaying SMTP Vulnerability in Microsoft Mail Header Format 4 Windows 2000 15 Receiving e-Mail 4 Encapsulated SMTP Address Vulnerability 15 The SMTP Destination Address 4 Malformed Request Denial of Service 16 Delayed Delivery 4 Extended Verb Request Handling Flaw 16 Aliases 5 Reverse DNS Response Buffer Overflow 16 Mail Transfer Agent 5 Firewall SMTP Filtering Vulnerability 16 SMTP Mail Transaction Flow 5 Spoofing 16 SMTP Commands 6 Bounce Attack 16 Mail Service Types 6 Restricting Access to an Outgoing Mail SMTP Service Extensions 8 Server 17 SMTP Responses 8 Mail Encryption 17 SMTP Server 8 Bastille Hardening System 17 On-Demand Mail Relay 8 POP and IMAP Vulnerabilities 17 Multipurpose Internet Mail Extensions Standards, Organizations, and (MIME) 8 Associations 18 MIME-Version 10 Internet Assigned Numbers Authority 18 Content-Type 10 Internet Engineering Task Force Working Content-Transfer-Encoding 10 Groups 18 Content-Id 11 Internet Mail Consortium 18 Content-Description 11 Mitre Corporation 18 Security Scheme for MIME 11 Conclusion 18 Mail Transmission Types 11 Glossary 18 Mail Access Modes 11 Cross References 19 Mail Access Protocols 11 References 19 POP3 11 Further Reading 22 IMAP4 12 INTRODUCTION and IMAP4), SMTP software, vulnerability and security issues, standards, associations, and organizations. Electronic mail (e-mail) is one of the most popular net- work services nowadays. Most e-mail systems that send mail over the Internet use simple mail transfer protocol SMTP FUNDAMENTALS (SMTP) to send messages from one server to another. The SMTP is used as the common mechanism for transporting messages can then be retrieved with an e-mail client us- electronic mail among different hosts within the transmis- ing either post office protocol (POP) or Internet message sion control protocol/Internet protocol (TCP/IP) suite. It is access protocol (IMAP). SMTP is also generally used to an application layer protocol. Under SMTP, a client SMTP send messages from a mail client to a mail server in “host- process opens a TCP connection to a server SMTP process based” (or Unix-based) mail systems, where a simple mbox on a remote host and attempts to send mail across the con- utility might be on the same system [or via Network File nection. The server SMTP listens for a TCP connection on System (NFS) provided by Novell] for access without POP a specific port (25), and the client SMTP process initiates or IMAP. a connection on that port (Cisco SMTP, 2005). When the This chapter describes the fundamentals of SMTP, el- TCP connection is successful, the two processes execute ements of its client–server architecture (user agent, mail a simple request–response dialogue, defined by the SMTP transfer agent, ports), request–response mechanism, com- protocol (see RFC 821 for details), in which the client pro- mands, mail transfer phases, SMTP messages, multi- cess transmits the mail addresses of the originator and purpose internet mail extensions (MIME) for non-ASCII the recipient(s) for a message. When the server process (American Standard Code for Information Interchange) accepts these mail addresses, the client process transmits data, e-mail delivery cases, mail access protocols (POP3 the e-mail instant message. The message must contain a 1 P1: JsY JWBS001A-60.tex WL041/Bidgoli WL041-Bidgoli.cls May 12, 2005 3:27 Char Count= 0 2 SMTP (SIMPLE MAIL TRANSFER PROTOCOL) message header and message text (“body”) formatted in user-mailing program, however, it is often simpler to re- accordance with RFC 822. fer to the client as the sender-SMTP and to the server as Mail that arrives via SMTP is forwarded to a remote the receiver-SMTP. server, or it is delivered to mailboxes on the local server. An SMTP-based process can transfer electronic mail POP3 or IMAP allow users download mail that is stored to another process on the same network or to another on the local server. Most mail programs such as Eudora network via a relay or gateway process accessible to both allow the client to specify both an SMTP server and a networks (Sheldon, 2001). An e-mail message may pass POP server.On UNIX-based systems, Sendmail is the most through a number of intermediate relay or gateway hosts widely used SMTP server for e-mail. Sendmail includes a on its path from a sender to a recipient. A simple model of POP3 server and also comes in a version for Windows NT the components of the SMTP system is shown in Figure 1. (“What is SMTP?”, 2005). The MIME protocol defines the Users deal with a user agent (UA). Popular user way files are attached to SMTP messages. Microsoft Out- agents for UNIX include Berkeley Mail, Elm, MH, Pine, look and Netscape/Mozilla Communicator are the most and Mutt. The user agents for Windows include Mi- popular mail-agent programs on Window-based systems. crosoft Outlook/Outlook Express and Netscape/Mozilla The X.400 International Telecommunication Union Communicator. The exchange of mail using TCP is per- standard (Tanenbaum, 2003) that defines transfer pro- formed by an MTA. The most common MTA for UNIX tocols for sending electronic mail between mail servers systems is Sendmail, and MTA for Windows is Mi- is used in Europe as an alternative to SMTP. Also, the crosoft Exchange 2000/2003. In addition to stable host- message handling service (MHS) developed by Novell is based e-mail servers, Microsoft Corporation has devel- used for electronic mail on Netware networks (“What is oped LDAP/Active-directory servers and B2B-servers that SMTP?”, 2005). enhance mail-delivery practices. Users normally do not deal with the MTA. It is the responsibility of the system SMTP MODEL AND PROTOCOL administrator to set up the local MTA. Users often have a The SMTP model (RFC 821) supports both end-to-end choice, however, for their user agent (Stevens, 1993). The (no intermediate message transfer agents [MTAs]) and MTA maintains a mail queue so that it can schedule re- store-and-forward mail delivery methods. The end-to-end peat delivery attempts in case a remote server is unable. method is used between organizations, and the store-and- Also the local MTA delivers mail to mailboxes, and the forward method is chosen for operating within organiza- information can be downloaded by the UA (see Figure 1). tions that have TCP/IP and SMTP-based networks. The RFC 821 standard specifies the SMTP protocol, A SMTP client will contact the destination host’s SMTP which is a mechanism of communication between two server directly to deliver the mail. It will keep the mail MTAs across a single TCP connection. The RFC 822 stan- item from being transmitted until it has been success- dard specifies the format of the electronic mail message fully copied to the recipient’s SMTP. This is different from that is transmitted using the SMTP protocol (RFC 821) the store-and-forward principle that is common in many between the two MTAs. As a result of a user mail re- other electronic mailing systems, where the mail item may quest, the sender-SMTP establishes a two-way connection pass through a number of intermediate hosts in the same with a receiver-SMTP. The receiver-SMTP can be either network on its way to the destination and where success- the ultimate destination or an intermediate one (known ful transmission from the sender only indicates that the as a mail gateway). The sender-SMTP will generate com- mail item has reached the first intermediate hop (“Simple mands, which are replied to by the receiver-SMTP (see Mail Transfer Protocol” [SMTP], 2004). Figure 1). The RFC 821 standard defines a client–server protocol. Both the SMTP client and server should have two ba- The client SMTP is the one, which initiates the session sic components: UA and local MTA. There are few cases of (that is, the sending SMTP) and the server is the one that sending electronic-mail messages across networks. In the responds (the receiving SMTP) to the session request. Be- first case of communication between the sender and the cause the client SMTP frequently acts as a server for a receiver across the network (see Figure 1), the sender’s UA Client Message User Queue of mail User at a terminal Transfer Agent to be sent Agent Sender TCP Connection SMTP commands, replies and mail TCP Port 25 Message User User User at a terminal Transfer Agent Mailboxes Agent Receiver Server Figure 1: The basic simple mail transfer protocol (SMTP) model. P1: JsY JWBS001A-60.tex WL041/Bidgoli WL041-Bidgoli.cls May 12, 2005 3:27 Char Count= 0 SMTP MODEL AND PROTOCOL 3 Sending Host User at a terminal User Queue of mail Agent to be sent One Organization Local Local Local MTA MTA MTA Relay Queue of mail MTA SMTP commands, Across the Internet replies and mail Relay Queue of mail MTA Local Local Local MTA MTA MTA Another Organization User User Agent Mailboxes User at a terminal Receiving Host Figure 2: The simple mail transfer protocol (SMTP) model with relay mail transfer agents. prepares the message, creates the envelope, and puts mes- the use of an e-mail gateway, which is a relay MTA that sage in the envelope. The MTA transfers the mail across can receive electronic mail prepared by a protocol other the network to the TCP-port 25 of the receiver’s MTA.