Email Network Security Blog

Authenticated Outbound Email (SMTP-AUTH), “Port 25″ and “Port 587″

ISP’s today are blocking port 25 from their users. This is a good thing. Originally mail servers didn’t distinguish between (SMTP) mail traffic from servers and SMTP mail traffic from users. With the rising use of public networks by spammers, a method was developed to segregate server mail traffic from client mail traffic.

First a brief explanation of what a “port” is and how SMTP works. A “port” is a way to identify sending and receiving application end-points on a host. There are “well-known ports” which servers “listen” on. A client knows to connect to these well-known ports to access specific services (like 25 for SMTP and 80 for HTTP). With SMTP, a “client” sends mail by connecting to port 25 on the SMTP server. It connects to port 25, the protocol negotiation happens, and the mail is sent. One more point to make clear is that in SMTP, the “client” is the sending party and the “server” is the receiving party. It is a bit confusing, but an email server, when sending a mail, is an SMTP “client”.

Historically, any party sending email, whether an email server or a user’s email software, used port 25. They would allow anyone inside their network to send mail through their servers’ port 25 to any external address. However, with the rise of spam, this allowed spammers to connect to these networks and use port 25 to spam the world. By shutting down port 25 to IP addresses on the inside of their network, they can block this.

So how do the users send mail now, with port 25 blocked? Enter SMTP-Auth. SMTP-AUTH is a mechanism whereby SMTP is authenticated, typically with a username/password combination. Many email providers, including Sentinare Messaging Solutions, Inc provide SMTP-AUTH on port 587. You can connect through your ISP to mail.sentinare.com on port 587, authenticate, and send your email.

Good email providers, like Sentinare Messaging Solutions, Inc. also allow SSL/TLS encryption to protect both the username/password combination and the content of the email. Good email providers also restrict the sending address to an address “owned” by the user who authenticates. Generally, this is one of the aliases of which the user receives mail on.

Almost every current email client software package supports SMTP-AUTH and can easily be set up. Typically the username/password combination is the same as for inbound email.