Main Menu
Contact Bill FAQ
Linked In
Hire Bill
Bill’s Music
BW Whois
Boulder Pledge
CGI Scripts
CMS Project
Music DB
Creative HTML
The CGI Book
Perl Book
The End
· Sponsors · video tutorials
Rheumatoid Arthritis
Site Design: Bill Weinman

AMTP · Frequently Asked Questions

page created 3 August 2003 by bw
page updated 2 September 2003 by bw

  1. What does AMTP stand for?
  2. Authenticated Mail Transfer Protocol

  3. What does AMTP do that SMTP Auth does not?
  4. SMTP Auth uses a shared secret, like a password. That's useful for authenticating users, but it would not scale well to the world population of mail servers.

    AMTP uses TLS (like SSL for web servers) to create a trusted relationship between entities operating Mail Transfer Agents (MTAs, i.e., servers and clients). AMTP also provides a mechanism to publish concisely-defined policies. This allows the parties in the trusted relationship to hold each other responsible for operating their servers within the constraints of agreed-upon rules.

  5. Why not add this capability to SMTP as an option?
  6. This solution will only work if it is exclusive of existing practice. In order to solve the problem we must stop accepting traffic from non- trusted sources.

    AMTP is based upon SMTP, so it can make use of existing SMTP extensions and existing code. It is designed to make the transition relatively painless for system operators and mail server/client authors.

    AMTP will deploy on a different port number than SMTP, allowing existing servers to exchange traffic using both protocols for a period of time, and then, after a sufficient amount of time, simply stop listening on port 25.

  7. How does this capability reduce UBE?
  8. UBE has proliferated because senders have been able to obfuscate the sources of mail, and there has been no universally accepted set of policies that classify abuse. AMTP addresses both of those deficiencies.

  9. Does AMTP prevent me from running a mail server on a dynamic IP address?
  10. AMTP does not intentionally single out dynamic IP addresses, but it does create a barrier for them.

    A goal of AMTP's authentication is to create a tight binding between a connection and an identity. The identity is certified by a trusted third party, along with a DNS name (much like a secure web server). AMTP takes this one step further and requires the DNS name to be confirmed by a reverse-DNS lookup (IP-to-name lookup). Most users of dynamic IP addresses do not have access to their reverse-DNS, so they will not be able to send mail through a public AMTP server.

    It will not be impossible, however, to run AMTP from a dynamic IP address. The AMTP specification allows for a server to accept self-signed certificates that do not match the reverse-DNS, "for use by its customers from dynamically-allocated address space." You may still be able to run your own outgoing server on a dynamic IP address, and use your AMTP server as a relay with the self-signed certificate they provided for use in your MUA. A third party may also provide such a relay service under some circumstances.

  11. Why does AMTP require reverse-DNS lookups?
  12. The purpose of the reverse-DNS lookup is to validate the DNS name part of the authentication. Some have suggested that forward-DNS (name-to-IP lookup) should be enough to confirm the identity of a host, but alas it is not. It would be easy for a mail abuser to set up nameservers to resolve a domain name to several hijacked computers around the world. Forward-DNS could easily be modified every few minutes to conform to the current map of hijacked systems that are sending mail.

    It would be far more difficult to subvert reverse-DNS. In order to do so the mail abuser would have to take control of the DNS servers that are authoritative for a particular IP address. Someone may accomplish that once or twice, but they won't be able to build a business based on it.

Laugh Loud And Perspire --Ancient Vulcan Curse
At BHG Worldwide Headquarters it is now two past nine, on Wednesday, 17 July 2024.