No announcement yet.

SMTP Authenticaion

  • Filter
  • Time
  • Show
Clear All
new posts

  • SMTP Authenticaion

    I'd have expected by now that all servers would require SMTP Authentication to prevent unauthorized users from sending emails, but I know of a few servers which do NOT require SMTP authentication.

    Does anyone have insight as to why any email server would not require SMTP Authentication?

    I discussed it with tech support at one server I know does not require SMTP Authentication and he was surprised to hear it - told me thanks and that his folks would close that option ASAP!

  • #2
    Somewhere - I can't find it now - I thought I read where some servers can go through an IP address recognition process, where after that SMTP Authentication is no longer required from the address.

    I can't swear that's exactly what it said, but I am certain that it spoke of a way to allow sending email without SMTP Authentication each time an email was sent.


    • #3
      FYI - I ran across a company called SMTP2GO who advertises themselves as an SMTP server that does not require authentication. It mentions an IP address authorization approach but apparently has other workarounds for SMTP Authentication as well.

      Many devices have a need to send emails through an SMTP server.

      The problem that many people face is that some of these devices do not have any place in their settings to enter an SMTP username or password — otherwise known as SMTP authentication. In order to get these devices to work, you need an SMTP that can work with no authentication.

      SMTP2GO provides an SMTP server that doesn’t require authentication, and can thus be used by these devices (routers, webcams, faxes, printers, security devices, storage devices etc.)
      I'm not advertising the service, just noting that non-SMTP-authentication servers must be hard to come by, for someone to create a company around the need.


      • #4
        It's not unusual for an ISP (Internet service provider) to allows non-SMTP-authentication via the IP address they control. After all they know which client was using an IP at what time, and the same server will also allow authenticated emails from IP's they don't control.

        In the early days of the Internet most SMTP server were open relays, they allowed anyone to use their server regardless of the IP it came from.
        Mass email advertisement (spam) and viruses forced all SMTP Server providers to reconsider, free usage.

        Now in this time and age where we have multiple devices, multiple Emails from different providers, SMTP Authentication is necessary. Since you may be sending emails via an IP controlled by a different ISP. But if your within your ISP's environment it may still work without Authentication. But it is becoming less common.


        • #5
          Gary, your quote leaves out an important addition:

          To use SMTP2GO with no SMTP authentication, you need to contact our Support team, as this feature is now available on a request-only basis. Alternatively, you can authorize an IP address to be allowed to send (if you will always send from a fixed IP address) from the Settings > IP Authentication page in your SMTP2GO control panel.
          I'm still not sure how they manage to a) allow SMTP without (any kind of) authentification and b) at the same time prevent spammers from abusing that as an open relay. Because: port scanning for a listening SMTP server is trivial and happens all the time, which anyone runnning its own public-facing email server can attest to, from looking at the firewall/mail server logs.

          I can only assume, as they're mention hardware (printers, routers etc.) that may have the need to use an SMTP servers without auth, that they are able to add a couple of restrictions like certain rececpients only, specifically crafted subject lines or some such precautions.


          • #6
            SMTP must be able to allow unauthenticated traffic otherwise one server couldn't relay a message from their client to your server and down to you. Securing the server from unauthorized emails is a completely different issue...
            Sr. Software Development Engineer and Sr. Information Security Analyst,
            CEH, Digital Forensic Examiner


            • #7
              To put a finer point on it, SMTP servers have to accept mail without authentication for domains they process mail for, otherwise, mail could never be delivered. On the other side of the coin, an SMTP server should require authentication for messages that are relayed to other domains. It is not uncommon for a business to have an internal SMTP server that allows e-mail to be sent by process control devices, etc.
              Real programmers use a magnetized needle and a steady hand