Network Working Group C. Hutzler
Internet-Draft America Online
Expires: November 6, 2005 D. Crocker
Brandenburg InternetWorking
P. Resnick
QUALCOMM Incorporated
R. Sanders
Earthlink, Inc.
Sendmail, Inc.
May 5, 2005
Email Submission Between Independent Networks
draft-hutzler-spamops-04
Status of this Memo
This document is an Internet-Draft and is subject to all provisions
of Section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on November 6, 2005.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
Hutzler, et al. Expires November 6, 2005 [Page 1]
Internet-Draft Email SpamOps May 2005
Email has become a popular distribution service for a variety of
socially unacceptable, mass-effect purposes. The most obvious ones
include spam and worms. This note recommends conventions for the
operation of email submission and transport services between
independent operators, such as enterprises and Internet Service
Providers. Its goal is to improve lines of accountability for
controlling abusive uses of the Internet mail service. Consequently
the document offers recommendations for constructive operational
policies between independent operators of email transmission
services.
The document seeks BCP status. Comments and discussion of this
document should be addressed to the ietf-smtp@imc.org mailing list.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Submission, Relaying, Delivery . . . . . . . . . . . . . . . . 4
4. External Submission . . . . . . . . . . . . . . . . . . . . . 5
5. Message Submission Authentication Technologies . . . . . . . . 6
6. Security Considerations . . . . . . . . . . . . . . . . . . . 7
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
7.1 References -- Normative . . . . . . . . . . . . . . . . . 7
7.2 References -- Informative . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 8
A. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9
Intellectual Property and Copyright Statements . . . . . . . . 10
Hutzler, et al. Expires November 6, 2005 [Page 2]
Internet-Draft Email SpamOps May 2005
1. Introduction
The very characteristics that make email such a convenient
communications medium -- its near ubiquity, rapid delivery and low
cost -- have made it a fertile ground for the distribution of
unwanted or malicious content. Spam, fraud and worms have become a
serious problem, threatening the viability of email and costing end
users and providers millions of dollars in damages and lost
productivity. In recent years, independent operators including
enterprises and ISPs have turned to a number of different
technologies and processes, in an attempt to combat these problems,
with varying effect and with vastly different impacts on users and on
the Internet mail infrastructure.
Email will often travel between multiple independent providers of
email transmission services, en route to its final destination. They
will generally have no prior arrangement with one another and may
employ different rules on the transmission. It is therefore
difficult both to debug problems that occur in mail transmission and
to assign accountability if undesired or malicious mail is injected
into the Internet mail infrastructure.
This document suggests operational policies that independent
operators of email transmission services may adopt, to assist in
providing continued, smooth operation of Internet email, but with
controls in place to improve accountability. These policies are
appropriate for operators of all sizes and may be implemented by
operators independently, without regard for whether the other side of
an email exchange has implemented them.
It is important to note that the adoption of these policies alone
will not solve the problems of spam and other undesirable email.
However they provide a useful step in clarifying lines of
accountability and interoperability between operators. This will
help raise the bar for abusers, and will pave the way for additional
tools to preserve the utility of the Internet email infrastructure.
2. Terminology
The Internet email architecture distinguishes four message-handling
components:
o Mail User Agents (MUAs)
o Mail Submission Agents (MSAs)
o Mail Transfer Agents (MTAs)
Hutzler, et al. Expires November 6, 2005 [Page 3]
Internet-Draft Email SpamOps May 2005
o Mail Delivery Agents (MDAs)
At the origination end, an MUA works on behalf of end users to create
a message and perform initial "submission" into the transmission
infrastructure, via an MSA. An MSA accepts the message submission,
performs any necessary preprocessing on the message and relays the
message to an MTA for transmission. MTAs relay messages to other
MTAs, in a sequence reaching a destination MDA that, in turn,
delivers the email to the recipient's inbox. The inbox is part of
the recipient-side MUA that works on behalf of the end-user to
process received mail.
These architectural components are often compressed, such as having
the same software do MSA, MTA and MDA functions. However the
requirements for each of these components of the architecture are
becoming more extensive, so that their separation is increasingly
common.
Note: The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in [RFC2119].
3. Submission, Relaying, Delivery
The MSA, MTA and MDA functions used to be considered as the same set
of functions. This has been reflected in the history of Internet
mail by having MSA, MTA and MDA transfers all be performed with SMTP
[RFC2821] [RFC0821], over TCP Port 25. Internet mail permits email
to be exchanged with no prior arrangement. Hence Port 25 exchanges
occur without sender authentication. That is, the sender is not
necessarily known by the relaying MTAs or the MDA.
It is important to distinguish MUA-to-MSA email submission, versus
MTA relaying, versus the final MTA-to-MDA transmission, prior to MDA-
to-MUA delivery. Submission typically does entail a relationship
between client and server; equally, the MDA can determine that it
will be effecting final delivery and has an existing relationship
with the recipient. That is, MSAs and MDAs can take advantage of
having prior relationships with users, in order to constrain their
transfer activities.
Specifically, an MSA can choose to reject all postings from MUAs for
which it has no existing relationship. Similarly, an MDA can choose
to reject all mail to recipients for which that MDA has no
arrangement to perform delivery. Indeed, both of these policies are
already in common practice.
Hutzler, et al. Expires November 6, 2005 [Page 4]
Internet-Draft Email SpamOps May 2005
Best practices are:
o Operators of MSAs MUST perform authentication during mail
submission, based on an existing relationship with the submitting
entity. This requirement applies to all mail submission
mechanisms.
o For email being received from outside their local operational
environment, email service operators MUST distinguish between mail
that will be delivered inside that environment, from mail that is
to be relayed back out to the Internet. This allows the MTA to
restrict this operation, preventing the problem embodied by "open"
relays.
o Mail coming from outside an email operator's local environment,
and having a RCPT-TO address that resolves to a destination that
is also outside the local environment, MUST be treated as mail
submission, rather than mail relaying. Hence it must be subjected
to mail submission authorization and validation checks.
o MDAs SHALL NOT accept mail to recipients for which that MDA has no
arrangement to perform delivery.
4. External Submission
An MUA, such as one desiring enforced privacy, may need to submit
mail across the Internet, rather than to a local MSA. This
requirement creates a challenge for the provider operating the
network that hosts the MUA. It makes that provider an involuntary
recruit to the task of solving mass-effect email problems. When the
MUA participates in a problem that affects large numbers of Internet
users, the operator is expected to effect remedies and is often
expected to prevent such occurrences.
A proactive technique used by some providers is to block all outbound
Port 25 SMTP traffic or to automatically redirect this traffic
through a local SMTP proxy, except for hosts that are explicitly
authorized. This can be problematic for some users, notably
legitimate mobile users attempting use their "home" MSA, even though
those users might already employ legitimate, Port 25-based
authentication.
This document offers no recommendation concerning the blocking of
SMTP Port 25.
Rather, it pursues the constructive benefit of using the official
SUBMISSION Port 587 [RFC2476].
Hutzler, et al. Expires November 6, 2005 [Page 5]
Internet-Draft Email SpamOps May 2005
Best practices are:
o MSAs MUST support the SUBMISSION port, for MUAs accessing from
outside the MSA's local environment.
o MSAs MUST perform authentication during all mail transactions on
the SUBMISSION port, even for a message having a RCPT TO address
that would not cause the message to be relayed.
o Access Providers SHALL NOT block users from accessing the external
Internet using the SUBMISSION port.
o MUAs SHOULD use the SUBMISSION port for message submission.
Note that the requirement for authentication, on the part of the MSA,
thereby makes that MSA responsible for the ensuing traffic it
generates.
Figure 1 depicts a local user (MUA.l) submitting a message to an MSA
(MSA). It also shows a remote user (MUA.r), such as might be in a
coffee shop offering "hotspot" wireless access, submitting a message
to their "home" MSA via an Authenticated Port 587 transaction.
"Home" Network SMTP /--------\ Destination
+-------+ +-----+ port 25 | | +----------+
| MUA.l | -> | MSA | ------> | | -> | MDA |
+-------+ 25 +-----+ | INTERNET | 25 +----------+
or ^ | |
587 \--------<---|---\ |
\---\----/
^ SUBMISSION
| Port 587
+--------+
| MUA.r |
+--------+
"HotSpot"
Figure 1: Example of Port 587 Usage
5. Message Submission Authentication Technologies
There are many different technologies available to authenticate
message submission transactions. These range from simple mechanisms
like POP authorization before SMTP and IP Address access lists, all
the way to SMTP AUTH [RFC2554] and client side certificates using
Transport Layer Security (TLS) [RFC3207]. Depending on the
Hutzler, et al. Expires November 6, 2005 [Page 6]
Internet-Draft Email SpamOps May 2005
environment, each of these mechanisms can be more or less effective
and convenient. Organizations are encouraged to choose the most
secure approach that is practical.
For example, SMTP AUTH using a secure authentication method like
CRAM-MD5 or DIGEST-MD5 may be sufficient. However, in some
environments, it is impractical to use one of the secure methods,
meaning that SMTP AUTH would be transmitting the username and the
password in clear text over insecure networks. This could allow
attackers to listen for this traffic and steal account data. In
these cases, using STARTTLS to establish an encrypted channel for
transmission of the SMTP AUTH username and password would be
preferred. Similarly, STARTTLS with client side certificates could
be used with the SMTP AUTH EXTERNAL mechanism to achieve secure
authentication.
6. Security Considerations
Email transfer between independent administrations can be the source
of large volumes of unwanted email and email containing malicious
content designed to attack the recipient's system. This document
addresses the requirements to permit such exchanges while reducing
the likelihood that malicious mail will be transmitted.
7. References
7.1 References -- Normative
[RFC0821] Postel, J., "Simple Mail Transfer Protocol", STD 10,
RFC 821, August 1982.
[RFC2476] Gellens, R. and J. Klensin, "Message Submission",
RFC 2476, December 1998.
[RFC2821] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
April 2001.
7.2 References -- Informative
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2554] Myers, J., "SMTP Service Extension for Authentication",
RFC 2554, March 1999.
[RFC3207] Hoffman, P., "SMTP Service Extension for Secure SMTP over
Transport Layer Security", RFC 3207, February 2002.
Hutzler, et al. Expires November 6, 2005 [Page 7]
Internet-Draft Email SpamOps May 2005
Authors' Addresses
Carl Hutzler
America Online
12100 Sunrise Valley Drive
Reston, VA 20191
Phone: +1 703 265 5521
Email: cdhutzler@aol.com
Dave Crocker
Brandenburg InternetWorking
675 Spruce Drive
Sunnyvale, CA 94086
USA
Phone: +1.408.246.8253
Email: dcrocker@bbiw.net
Peter W. Resnick
QUALCOMM Incorporated
5775 Morehouse Drive
San Diego, CA 92121-1714
USA
Phone: +1 858 651 4478
Email: presnick@qualcomm.com
URI: http://www.qualcomm.com/~presnick/
Robert Sanders
Earthlink, Inc.
1375 Peachtree Street
Atlanta, GA 30309
USA
Phone: +1 404 748 7021
Email: sandersr@corp.earthlink.net
URI: http://home.mindspring.com/~rsanders/
Hutzler, et al. Expires November 6, 2005 [Page 8]
Internet-Draft Email SpamOps May 2005
Eric Allman
Sendmail, Inc.
Emeryville, CA 94608
USA
Phone: +1 510 594 5501
Email: eric@sendmail.com
Appendix A. Acknowledgments
These recommendations were first formulated during informal
discussions among members of Anti-Spam Technical Alliance (ASTA) and
some participants from the Internet Research Task Force's Anti-Spam
Research Group (ASRG).
Hutzler, et al. Expires November 6, 2005 [Page 9]
Internet-Draft Email SpamOps May 2005
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Hutzler, et al. Expires November 6, 2005 [Page 10]