An extension to the venerable SMTP protocol which allows untrusted internet hosts to relay mail through a mailserver, after a successful challenge-response, described by RFC 2554.


The problem:

Without AUTH, a typical SMTP server (eg the kind your ISP probably provides to let you send your email) will not let machines outside the ISP send emails. This means you can't, for example, send mail through your normal SMTP server while you are travelling, or just using a different ISP.


The solution:

RFC 2554 (interestingly only filed in March 1999) allows authentication into the SMTP transfer, so that you can relay your messages from anywhere after providing your username and password (typically the same ones you use to retreive your POP3 mail).
It allows both secure authentication (eg 'CRAM-MD5') and insecure plaintext.
Most mail tools support it automatically. For example in Netscape 6/Mozilla, it's disguised as the option 'always supply username and password' under 'outgoing mail server'.


Take a look at it!

If you're sufficiently bored, you can watch AUTH at work:
  • Telnet to a mailserver (how?) on port 25.
  • Type 'EHLO your.host.name'
  • One of the lines it spits back at you should list the kinds of AUTH supported, eg:
    250-AUTH SCRAM-MD5 LOGIN CRAM-MD5 NTLM
  • Type 'AUTH CRAM-MD5' (or another style)
  • Hit enter a few times, and giggle at the random ascii challenge stuff it's sending you.
  • That's it. (I don't know how to authenticate by hand yet - I believe even the plaintext is encoded base64, which is a pain for this example.)



Stay tuned to find out how to set this up with exim forwarding to a smart host on a different network (as soon as I figure the silly thing out!)