© 1972–2016 BHG LLC
AMTP · Frequently Asked Questions
page created 3 August 2003 by bw
Authenticated Mail Transfer Protocol
SMTP Auth uses a shared secret, like a password. That's useful for authenticating users, but it would not scale well to the world population of mail servers.
AMTP uses TLS (like SSL for web servers) to create a trusted relationship between entities operating Mail Transfer Agents (MTAs, i.e., servers and clients). AMTP also provides a mechanism to publish concisely-defined policies. This allows the parties in the trusted relationship to hold each other responsible for operating their servers within the constraints of agreed-upon rules.
This solution will only work if it is exclusive of existing practice. In order to solve the problem we must stop accepting traffic from non- trusted sources.
AMTP is based upon SMTP, so it can make use of existing SMTP extensions and existing code. It is designed to make the transition relatively painless for system operators and mail server/client authors.
AMTP will deploy on a different port number than SMTP, allowing existing servers to exchange traffic using both protocols for a period of time, and then, after a sufficient amount of time, simply stop listening on port 25.
UBE has proliferated because senders have been able to obfuscate the sources of mail, and there has been no universally accepted set of policies that classify abuse. AMTP addresses both of those deficiencies.
AMTP does not intentionally single out dynamic IP addresses, but it does create a barrier for them.
A goal of AMTP's authentication is to create a tight binding between a connection and an identity. The identity is certified by a trusted third party, along with a DNS name (much like a secure web server). AMTP takes this one step further and requires the DNS name to be confirmed by a reverse-DNS lookup (IP-to-name lookup). Most users of dynamic IP addresses do not have access to their reverse-DNS, so they will not be able to send mail through a public AMTP server.
It will not be impossible, however, to run AMTP from a dynamic IP address. The AMTP specification allows for a server to accept self-signed certificates that do not match the reverse-DNS, "for use by its customers from dynamically-allocated address space." You may still be able to run your own outgoing server on a dynamic IP address, and use your AMTP server as a relay with the self-signed certificate they provided for use in your MUA. A third party may also provide such a relay service under some circumstances.
The purpose of the reverse-DNS lookup is to validate the DNS name part of the authentication. Some have suggested that forward-DNS (name-to-IP lookup) should be enough to confirm the identity of a host, but alas it is not. It would be easy for a mail abuser to set up nameservers to resolve a domain name to several hijacked computers around the world. Forward-DNS could easily be modified every few minutes to conform to the current map of hijacked systems that are sending mail.
It would be far more difficult to subvert reverse-DNS. In order to do so the mail abuser would have to take control of the DNS servers that are authoritative for a particular IP address. Someone may accomplish that once or twice, but they won't be able to build a business based on it.