SMTP C. Hutzler Internet-Draft Intended status: Best Current D. Crocker Practice Brandenburg InternetWorking Expires: November 26, 2007 P. Resnick QUALCOMM Incorporated R. Sanders E. Allman Sendmail, Inc. May 25, 2007 Email Submission: Access and Accountability draft-hutzler-spamops-07 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on November 26, 2007. Copyright Notice Copyright (C) The IETF Trust (2007). Abstract Email has become a popular distribution service for a variety of Hutzler, et al. Expires November 26, 2007 [Page 1] Internet-Draft Email Submission May 2007 socially unacceptable, mass-effect purposes. The most obvious ones include spam and worms. This note recommends conventions for the operation of email submission and transport services between independent operators, such as enterprises and Internet Service Providers. Its goal is to improve lines of accountability for controlling abusive uses of the Internet mail service. Consequently the document offers recommendations for constructive operational policies between independent operators of email transmission services. With the recent advent of email authentication technologies aimed at providing assurances and traceability between internetworked networks, the authors recognized that the initial submission of a message became the weakest link. Consequently, the document offers recommendations for constructive operational policies for the first step of email sending, the submission (or posting) of email into the transmission network. Relaying and delivery entail policies that occur subsequent to submission and are outside the scope of this document. The document seeks BCP status. Comments and discussion of this document should be addressed to the ietf-smtp@imc.org mailing list. Hutzler, et al. Expires November 26, 2007 [Page 2] Internet-Draft Email Submission May 2007 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Submission, Relaying, Delivery . . . . . . . . . . . . . . . . 5 3.1. Best Practices for Submission Operation . . . . . . . . . 6 3.2. Transitioning to Submission Port . . . . . . . . . . . . . 7 4. External Submission . . . . . . . . . . . . . . . . . . . . . 7 4.1. Best Practices for Support of External Submissions . . . . 8 5. Message Submission Authentication/Authorization Technologies . . . . . . . . . . . . . . . . . . . . . . . . . 10 6. Consideration . . . . . . . . . . . . . . . . . . . . . . . . 10 6.1. Security Considerations . . . . . . . . . . . . . . . . . 10 6.2. IANA Considerations . . . . . . . . . . . . . . . . . . . 10 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 7.1. References -- Normative . . . . . . . . . . . . . . . . . 10 7.2. References -- Informative . . . . . . . . . . . . . . . . 10 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 Intellectual Property and Copyright Statements . . . . . . . . . . 13 Hutzler, et al. Expires November 26, 2007 [Page 3] Internet-Draft Email Submission May 2007 1. Introduction The very characteristics that make email such a convenient communications medium -- its near ubiquity, rapid delivery and low cost -- have made it a fertile ground for the distribution of unwanted or malicious content. Spam, fraud and worms have become a serious problem, threatening the viability of email and costing end users and providers millions of dollars in damages and lost productivity. In recent years, independent operators including enterprises and ISPs have turned to a number of different technologies and procedures, in an attempt to combat these problems, with varying effect and with vastly different impacts on users and on the Internet mail infrastructure. Email will often travel between multiple independent providers of email transmission services, en route to its final destination. They will generally have no prior arrangement with one another and may employ different rules on the transmission. It is therefore difficult both to debug problems that occur in mail transmission and to assign accountability if undesired or malicious mail is injected into the Internet mail infrastructure. A wide variety of email authentication technologies has been developed, and more are under development. They provide some accountability and traceability between disparate networks. This document aims to build on these technologies by exploring best practices for authenticating and authorizing the first step of an email's delivery from MUA to MSA, otherwise known as submission. Without strong practices on email submission, the authentication technologies provide limited benefit. This document specifies operational policies to be used for the first step of email sending, the submission (or posting from an MUA to an MSA as defined below) of email into the transmission service. These policies will permit continued, smooth operation of Internet email, with controls added to improve accountability. Relaying and delivering employ policies that occur after submission and are outside the scope of this document. The policies listed here are appropriate for operators of all sizes and may be implemented by operators independently, without regard for whether the other side of an email exchange has implemented them. It is important to note that the adoption of these policies alone will not solve the problems of spam and other undesirable email. However they provide a useful step in clarifying lines of accountability and interoperability between operators. This helps raise the bar against abusers, and provides a foundation for additional tools to preserve the utility of the Internet email Hutzler, et al. Expires November 26, 2007 [Page 4] Internet-Draft Email Submission May 2007 infrastructure. This document does not delve into other anti-spam operational issues such as standards for rejection of email. The authors note that this would be a very valuable effort to undertake and suggest that additional work under another BCP document should be embarked upon. 2. Terminology The Internet email architecture distinguishes four message-handling components: o Mail User Agents (MUAs) o Mail Submission Agents (MSAs) o Mail Transfer Agents (MTAs) o Mail Delivery Agents (MDAs) At the origination end, an MUA works on behalf of end users to create a message and perform initial "submission" into the transmission infrastructure, via an MSA. An MSA accepts the message submission, performs any necessary preprocessing on the message and relays the message to an MTA for transmission. MTAs "relay" messages to other MTAs, in a sequence reaching a destination MDA that, in turn, "delivers" the email to the recipient's inbox. The inbox is part of the recipient-side MUA that works on behalf of the end-user to process received mail. These architectural components are often compressed, such as having the same software do MSA, MTA and MDA functions. However the requirements for each of these components of the architecture are becoming more extensive, so that their software and even physical platform separation is increasingly common Note: The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Submission, Relaying, Delivery The MSA, MTA and MDA functions used to be considered as the same set of functions. This has been reflected in the history of Internet mail by having MSA, MTA and MDA transfers all be performed with SMTP [RFC2821] [RFC0821], over TCP Port 25. Internet mail permits email Hutzler, et al. Expires November 26, 2007 [Page 5] Internet-Draft Email Submission May 2007 to be exchanged with no prior arrangement. Hence Port 25 exchanges occur without sender authentication. That is, the confirmed identity of the originator of the message is not necessarily known by the relaying MTAs or the MDA. It is important to distinguish MUA-to-MSA email submission, versus MTA relaying, versus the final MTA-to-MDA transmission, prior to MDA- to-MUA delivery. Submission typically does entail a pre-established relationship between the user of the client and operator of the server; equally, the MDA can determine that it will be affecting final delivery and has an existing relationship with the recipient. That is, MSAs and MDAs can take advantage of having prior relationships with users, in order to constrain their transfer activities. Specifically, an MSA can choose to reject all postings from MUAs for which it has no existing relationship. Similarly, an MDA can choose to reject all mail to recipients for which that MDA has no arrangement to perform delivery. Indeed, both of these policies are already in common practice. 3.1. Best Practices for Submission Operation Submission Port Availability: If external submissions are supported -- that is, from outside a site's administrative domain -- then the domain's MSAs MUST support the SUBMISSION port 587 [RFC4409]. It is also suggested that operators standardize on the SUBMISSION port for both external AND LOCAL users for simplicity. Submission Port Use: MUAs SHOULD use the SUBMISSION port for message submission. Submission Authentication: MSAs MUST perform authentication on the identity asserted during all mail transactions on the SUBMISSION port, even for a message having a RCPT TO address that would not cause the message to be relayed outside of the local administrative environment. Hutzler, et al. Expires November 26, 2007 [Page 6] Internet-Draft Email Submission May 2007 Submission Authorization: Operators of MSAs MUST perform authorization of the authenticated identity, for the operations performed during mail submission and based on an existing relationship with the submitting entity. This requirement applies to all mail submission mechanisms (MUA to MSA). Submission Accountability after Submission: Once a message has been submitted, the message SHOULD be later traceable by the MSA operator to the authenticated identity of the user who sent the message for a reasonable period of time. Such tracing MAY be based on transactional identifiers stored in the headers (received lines, etc) or other fields in the message. The specific length of time, after message submission, that traceability is supported is not specified here. However issues regarding transit often occur as much as one week after submission. 3.2. Transitioning to Submission Port In order to promote transition of initial message submission from port 25 to port 587, MSAs SHOULD listen on both ports. MSAs MUST require authentication on port 587 and SHOULD require authentication on port 25. MSAs MAY also listen on other ports. Regardless of the ports on which messages are accepted, MSAs MUST NOT permit relaying of unauthenticated messages to other domains (i.e., they must not be open relays). As delivered from the factory, MUAs SHOULD attempt to find the best possible submission port from a list of alternatives. That list SHOULD include the SUBMISSION port 587 as well as port 25. The ordering of that list SHOULD try the SUBMISSION port 587 before trying port 25, and MAY try other ports before, between, or after those two ports. Since most MUAs available today do not permit falling back to alternate ports, sites SHOULD pre-configure or encourage their users to connect on the SUBMISSION port 587, assuming that site supports that port. 4. External Submission An MUA, desiring special services, may need to submit mail across the Hutzler, et al. Expires November 26, 2007 [Page 7] Internet-Draft Email Submission May 2007 Internet, rather than to a local MSA, in order to obtain particular services. Examples include active privacy protection against third- party content monitoring and timely processing. Further the privacy requirement might reasonably include protection against monitoring by the operator of the MUA's access network. This requirement creates a challenge for the provider operating the IP network through which the MUA gains access. It makes that provider an involuntary recruit to the task of solving mass-effect email problems: When the MUA participates in a problem that affects large numbers of Internet users, the provider is expected to effect remedies and is often expected to prevent such occurrences. A proactive technique used by some providers is to block all use of Port 25 SMTP for mail that is being sent outbound, or to automatically redirect this traffic through a local SMTP proxy, except for hosts that are explicitly authorized. This can be problematic for some users, notably legitimate mobile users attempting use their "home" MSA, even though those users might already employ legitimate, Port 25-based authentication. This document offers no recommendation concerning the blocking of SMTP Port 25 and similar practices for controlling abuse of the standard anonymous mail transfer port. Rather, it pursues the mutually constructive benefit of using the official SUBMISSION Port 587 [RFC4409]. Note: However the authors wish to note that many established practices for controlling abuse of port 25, for mail that is being sent outbound, currently exist. These include the proxy of smtp traffic to local hosts for screening combined with various forms of rate limits. The authors suggest that this topic should be addressed in a separate BCP that would benefit the operational communities. 4.1. Best Practices for Support of External Submissions Open Submission Port: Access Providers MUST NOT block users from accessing the external Internet using the SUBMISSION port 587 [RFC4409]. Traffic Identification -- External Posting Versus Relaying: For email being received from outside their local operational environment, email service providers MUST distinguish between Hutzler, et al. Expires November 26, 2007 [Page 8] Internet-Draft Email Submission May 2007 mail that will be delivered inside that environment, versus mail that is to be relayed back out to the internet. This allows the MTA to restrict this operation, preventing the problem embodied by "open" relays. Note that there are situations where this may not apply such as secondary MXs and related implementations internal to an operator's network and within their control. Delivery Authorization: MDAs MUST NOT accept mail to recipients for which that MDA has no arrangement to perform delivery. Figure 1 depicts a local user (MUA.l) submitting a message to an MSA (MSA). It also shows a remote user (MUA.r), such as might be in a coffee shop offering "hotspot" wireless access, submitting a message to their "home" MSA via an Authenticated Port 587 transaction. HOME NETWORK DESTINATION +-------+ | MUA.l | +---+---+ port | port port port 587/25 V 25 25 -------- 25 +-----+ +-----+ ****** / \ ****** +-----+ +-----+ | MSA |->| MTA |->* AP *->| |->* AP *->| MTA |->| MDA | +--^--+ +-----+ ****** | INTERNET | ****** +-----+ +-----+ | | | +-------<--------------|----+ | \ | / ---^---- | ****** AP = Access Provider * AP * ****** | Port 587 +---+----+ | MUA.r | +--------+ HOTSPOT Figure 1: Example of Port 587 Usage Via Internet Hutzler, et al. Expires November 26, 2007 [Page 9] Internet-Draft Email Submission May 2007 5. Message Submission Authentication/Authorization Technologies There are many competent technologies and standards for authenticating message submissions. Two mechanisms that have been standardized include SMTP AUTH [RFC2554] and TLS [RFC3207]. Depending upon the environment, different mechanisms can be more or less effective and convenient. Organizations SHOULD choose the most secure approaches that are practical. This document does not provide recommendations on specific security implementations. It simply provides a warning that transmitting user credentials in clear text over insecure networks SHOULD be avoided in all scenarios as this could allow attackers to listen for this traffic and steal account data. In these cases, it is strongly suggested that an appropriate security technology MUST be used. 6. Consideration 6.1. Security Considerations Email transfer between independent administrations can be the source of large volumes of unwanted email and email containing malicious content designed to attack the recipient's system. This document addresses the requirements and procedures to permit such exchanges while reducing the likelihood that malicious mail will be transmitted. 6.2. IANA Considerations This document has no actions for IANA. 7. References 7.1. References -- Normative [RFC2821] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821, April 2001. [RFC4409] Gellens, R. and J. Klensin, "Message Submission for Mail", RFC 4409, April 2006. 7.2. References -- Informative [RFC0821] Postel, J., "Simple Mail Transfer Protocol", STD 10, RFC 821, August 1982. Hutzler, et al. Expires November 26, 2007 [Page 10] Internet-Draft Email Submission May 2007 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2554] Myers, J., "SMTP Service Extension for Authentication", March . [RFC3207] Hoffman, P., "SMTP Service Extension for Secure SMTP over Transport Layer Security", February 2002. Appendix A. Acknowledgments These recommendations were first formulated during informal discussions among members of Anti-Spam Technical Alliance (ASTA) and some participants from the Internet Research Task Force's Anti-Spam Research Group (ASRG). Authors' Addresses C. Hutzler 2512 Freetown Drive Reston, VA 20191 Phone: 703-915-6862 Email: cdhutzler@aol.com URI: http://carlhutzler.com/blog/ D. Crocker Brandenburg InternetWorking 675 Spruce Dr. Sunnyvale, CA 94086 USA Phone: +1.408.246.8253 Email: dcrocker@bbiw.net URI: http://bbiw.net Hutzler, et al. Expires November 26, 2007 [Page 11] Internet-Draft Email Submission May 2007 P. Resnick QUALCOMM Incorporated 5775 Morehouse Drive San Diego, CA 92121-1714 USA Phone: +1 858 651 4478 Email: presnick@qualcomm.com URI: http://www.qualcomm.com/~presnick/ R. Sanders Atlanta, GA USA Phone: Email: URI: E. Allman Sendmail, Inc. Emeryville, CA USA Phone: +1 510 594 5501 Email: eric+ietf-smtp@sendmail.org Hutzler, et al. Expires November 26, 2007 [Page 12] Internet-Draft Email Submission May 2007 Full Copyright Statement Copyright (C) The IETF Trust (2007). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgment Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA). Hutzler, et al. Expires November 26, 2007 [Page 13]