[nos-bbs] SMTP Gateway

Tue Jun 30 23:41:33 EDT 2009

Hopefully this will be useful for figuring out why SMTP sometimes fails even
though you have full pingability. Since not every server on the internet
obeys good practices, it is likely you will sometimes have success even when
some of the rules below are broken... just don't count on it. Of course,
none of this applies when the mail is handled only by amateur systems
end-to-end ;-)

I do apologize for the style in which this is written. I just got done with
a fairly large research document for my boss (I manage the network for a
private university) and it looks like I'm stuck in that style and tone for a
while. Hopefully it'll wear off soon...

Current internet SMTP policies are generally similar to the following:

SMTP connections on port 25 are accepted and processed only from mail
servers (not end-user agents, see further down).

Additionally, If the port 25 traffic is neither from nor to an address that
the server is responsible for (or in its list of valid relay domains), the
message will be dropped. Sometimes this happens silently, other times the
SMTP server will reject the message. Sometimes, the SMTP server will start
rejecting ALL subsequent SMTP commands on this connection.

If the port 25 traffic is not coming from an IP listed as an authoritative
mail server(MX/SPF-specified) for the message From address, it will often
drop it. Same possible behaviors as above.

Various other antispoof operations will take place, and unless the jnos box
sending the email is legitimately responsible for the domain of the smtp
from address (stuff like having correct MX and SPF records pointing to its
internet-visible IP), it will correctly be detected as an attempt to spoof a
message and rejected. The fact that it is a "legitimate" spoof doesn't
really matter. See http://en.wikipedia.org/wiki/E-mail_spoofing

Technically, SMTP is a server-to-server transport protocol, not a
user-to-server submission protocol. While it has been used to do both jobs
for many years, this is the weakness that led to the booming industry of
unsolicited commercial email. As such, open relays are actively shut down or
blackholed. http://en.wikipedia.org/wiki/Open_relay

Best-practices user-to-mailserver  mail submission is now done in compliance
with RFC4409 over port 587. This SUBMISSION protocol is effectively ESMTP
but with some usage restrictions. Mainly these restrictions are that the
mail server must reject MAIL FROM until a SMTP AUTH has been accepted and
that it must only accept mail where the from address is from one of the
domains it controls. Additionally it SHOULD make sure the AUTHed user is
authorized to send mail from that particular address, but this isn't always
enforced.
Since there are few SMTP AUTHs that are safe as plaintext, this means that
it is common to require a STARTTLS crypto session before accepting any SMTP
AUTH, thus requiring crypto to submit any email.

So, if you are sending a message from hamguy at example.org, and the
internet-visible IP of your JNOS box is NOT that of example.org and is NOT
pointed to by a MX or SPF record for example.org, many internet servers will
reject mail sent by your JNOS box. If appropriate, you can make the JNOS box
legitimately responsible for example.org. Otherwise, you could have the JNOS
box speak SMTP over port 587 to the real example.org machine who would then
pass the message on like any other message.
Or, to put it more simply, if JNOS is "acting like" a user submitting an
email to the mail server, port 587 submission is usually needed. If JNOS is
being a legitimate mail relay for a domain, it will speak port 25 SMTP to
the recipient's MX host and it should be identified as a legitimate relay
for that domain in the domain's SPF record. No other configurations are
guaranteed (or increasingly, likely) to work on the public internet.

Any mail that doesn't pass through the servers responsible for its
from-address domain is technically spoofed. The ever-increasing anti-spam
efforts doom all such mail to eventual rejection even if it sometimes works
today. Any email server that accepts and forwards an email from random ips
when the mail's  from-address is not in its own mail domain  is an open
relay and will usually be blacklisted as such. Most serious mail domains
will ignore all mail from blacklisted servers.

References:
http://en.wikipedia.org/wiki/Mail_submission_agent (covers the difference
between MSA and MTA as well as some details of rfc4409 smtp-submission
protocol)
http://en.wikipedia.org/wiki/Sender_policy_framework covers the SPF records,
how they work, and why they exist.
http://en.wikipedia.org/wiki/Extended_SMTP (the current mandated form of
SMTP)
http://en.wikipedia.org/wiki/CRAM-MD5 (the only commonly available SMTP AUTH
method usable without TLS crypto security. Uses hashing not encryption, so
should be legal over amateur links.)

On Sun, Jun 28, 2009 at 12:47, Barry <k2mf at ptd.net> wrote:

> On Sat, 27 Jun 2009 16:01:30 +0000 (GMT), doug at kalish.com
> wrote:
>
> > I'm having trouble with the smtp gateway:
> >
> > (Set up gateway and ping it)
> > jnos> smtp gateway smtp.gmail.com
> > jnos> smtp trace 3
> > jnos> ping smtp.gmail.com
> > jnos> Resolving smtp.gmail.com... 209.85.147.109: rtt 40
> >
> > (Send a message to doug at kalish.com)
> > jnos> queue job 432 From: ka3l at sceast.ampr.org To: doug at kalish.com
> > Trying Connection to 209.62.105.13
> > SMTP client Trying...
> > smtp sent: QUIT
> >
> > (smtp is trying to connect to kalish.com, not smtp.gmail.com)
> > jnos> ping kalish.com
> > jnos> Resolving kalish.com... 209.62.105.13: rtt 63
> >
> > Help please.
> >
> > Doug KA3L
>
> Very few internet providers permit connections to port 25 off
> their "premises".  This is done to reduce spam and there is
> very little, if anything, you can do about it without drawing
> attention to yourself.
>
> You will need to find an SMTP "gateway" server that permits
> SMTP connections from 44-net and then actually connect to it
> from a 44-net SMTP client that is *behind* your gateway.  You
> will likely also need to use a SAFE (source address filter
> elimination) tunnel for your packets to the non-ampr internet,
> because if your provider filters outgoing connections to port
> 25, it is also likely they filter outgoing packets which have
> source IP addresses that do not belong to its network.
>
> --
> 73, Barry, K2MF >>
> k2mf at ptd.net
>
> _______________________________________________
> nos-bbs mailing list
> nos-bbs at tapr.org
> https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs
>

-- 
Regards, Robert Thompson

====================================================
~   Concise, Complete, Correct: Pick Two
~   Faster, Cheaper, Better: Pick Two
~   Pervasive, Powerful, Trustworthy: Pick One
====================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tapr.org/pipermail/nos-bbs_lists.tapr.org/attachments/20090630/4cca938a/attachment.html>