SMTP authentication can significantly increase the security of your SMTP server. Once the authentication procedure is configured, only reliable SMTP users or clients will be able to send emails.
What is SMTP authentication?
SMTP authentication, often abbreviated as SMTP-Auth or ASMTP, is a extension of Extended SMTP (ESMTP), which itself is an extension of the SMTP network protocol. It allows an SMTP client to connect to an SMTP server using an authentication mechanism. Thus, only the trusted users can send emails over the network and transfer them via the server. Log data can also be used to determine who used the server as an SMTP relay.
Why does SMTP-Auth exist?
The purpose of SMTP-Auth is toprevent an SMTP server from being used as “Open Mail Relay” to distribute spam on the network. Of course, the situation today is far from being as critical as before, but we still regularly come across servers with open relay for which no SMTP authentication is in place. This is sometimes the result of the carelessness of inexperienced administrators who temporarily open their server for testing purposes. More often the problem comes from misconfigured firewalls and external security applications.
Open email relays are usually identified as such after a few days or even hours. They then find themselves on the blacklists, the consequences of forgoing SMTP authentication should not be underestimated. As a result, server owners face a significant increase in traffic due to the popularity of open mail servers for spam. This damages their reputation and requires additional time effort. These problems also have a financial cost. It is precisely for this reason that almost all mail servers today use ESMTP in combination with ASMTP (Extended SMTP with SMTP authentication).
How does ASMTP work?
An essential feature of ASMTP is that emails are accepted via TCP port 587 (the SMTP-Auth-Port) instead of the traditional TCP port 25, which is the mandatory base for ESMTP. The protocol essentially contains a selection of authentication mechanisms with different security levels that an SMTP server can use depending on its configuration to check the reliability of an SMTP client.
These include, but are not limited to, the following:
-
PLAIN: a authentication using client username and password. Both are transmitted in the clear and encoded in the Base64 character set. -
LOGIN: works likePLAINbut the Base64 codes for username and password are passed in two steps instead of one. -
CRAM-MD5: a alternative toPLAINAndLOGINwith a higher level of security according to the principle challenge-response. With this mechanism, the password is not transmitted to the server in clear text or code. Instead, the server gives the client some kind of arithmetic problem that can only be solved using the password. - Other mechanisms are also proposed: GSSAPI, DIGEST-MD5, MD5, OAUTH10A, OAUTHEBEARER, SCRAM-SHA-1 and NTLM.
Here is an example of authentication via LOGIN:
| Part | ESMTP Commands and Status Codes | Explanation |
|---|---|---|
| Server: | 220 smtp.server.com ESMTP Postfix + | Once the connection is established, the SMTP server responds |
| Customer: | EHLO relay.client.com | The SMTP client connects with its host name and queries the server’s ESMTP support via the “EHLO” command |
| Server: | The server confirms the login and therefore also that it is compatible with ESMTP (if this is not the case, it continues with “HELO” thanks to the backward compatibility of SMTP); The server then offers the client a choice of authentication mechanisms | |
| Customer: | AUTH LOGIN | The client selects the LOGIN authentication mechanism |
| Server: | 334 VXNlcm5hbWU6 | The server asks for the sender’s username with the Base64 code for “Username:” |
| Customer: | TWF4IE11c3Rlcm1hbm4= | The client responds in Base64 code with “John Doe” |
| Server: | 334 UGFzc3dvcmQ6 | The server requests the sender’s password via Base64 code |
| Customer: | SWNoYmlua2VpblNwYW1tZXI= | The client responds with the Base64 code for the password. In this example it is “Imnotaspammer” |
| Server: | 235 OK | The server confirms the authentication. Email transmission via SMTP begins. |
How to configure SMTP authentication?
In most email clients, SMTP authentication is usually configured automatically when a new account is created. If that doesn’t work, you may need to help manually. Below are instructions for setup in Gmail, Outlook and IONOS Email.
Email address with its own domain name!
Create a personalized address and show your seriousness on the Internet with a domain name included!
Professional
Secure
24/7 support
Configure SMTP-Auth in Outlook
- Click on ” Account settings “ in the menu ” File “.
- Select your account and click ” To modify “.
- Click on “Other settings” in the window that opens.
- Go to the Outgoing Mail Server tab and select the option “Outgoing mail server (SMTP) requires authentication”.
- Check the box “Use the same settings as for the incoming mail server”.
- Confirm with ” OK “. The window closes.
- Click “Next”. Outlook will now check the new account settings. Once the test is complete, click “Close”.
- Click “Finish” then “Close”.
Microsoft 365 users can also enable SMTP authentication in the 365 admin center or through Windows PowerShell.
Configure SMTP-Auth in Gmail
If you connect your Gmail address to a desktop client, you can also enable SMTP authentication:
- Log in to your Gmail account.
- Press on ” Settings “ and select “Show all settings”.
- Switch to tab “Redirection & POP/IMAP”.
- You can now click on the link ” More information “ under “POP Download” or “IMAP Access”.
- You will finally be redirected to the configuration instructions, where you will find among other things all the information about the outgoing mail server (SMTP), therefore also SMTP authentication.
Configure SMTP-Auth for IONOS Email
For IONOS Email users, SMTP authentication is automatically enabled. If you configure IONOS Email in your desktop client of choice, you can also easily set up SMTP-Auth. You will find the corresponding settings, including the SMTP Auth Port, in the customer area by following the following instructions:
- Log in to your IONOS customer account via the official login page.
- In the product overview, select the service IONOS Email.
- Then click on the desired IONOS Email package and select email address for which you want to configure SMTP authentication.
- Tap the menu option “Mail server information (POP, IMAP)”.
- You will then find all the information necessary for the email address configuration, including SMTP authentication.
With your own email server at IONOS, you benefit from an individual professional domain and you also have total control over your emails, in an encrypted and secure manner!
How to test SMTP-Auth?
You can use the Telnet client to check whether a mail server is used as an open relay or whether SMTP-Auth is working correctly (for example, if you configure your own mail server). This solution is also used by some spammers to manually locate open email relays. SMTP and ESMTP are purely text-based protocols, which is why you can also start and run a client-server session manually.
The Telnet client is available on all common operating systems and can be opened by default using the term “telnet”. On Windows versions from Vista onwards, the client must first be installed or activated in the control panel. All you need is your username and password in Base64 codewhich you can get from websites such as base64encode.net.
You can also perform the SMTP authentication test using external web tools such as SMTP Diagnostic of MxToolbox :
- Open SMTP Diagnostic.
- enter the address of the SMTP server or any email address using the SMTP server in the input field.
- Press on ” Testing Email Server “.
- After a few moments, you obtain a list with the most important information, in particular concerning SMTP authentication: the line “ SMTP Open Relay » tells you whether authentication is enabled or not.
