Mail Relaying Basics
This documents gives an overview of why DocuWeb email is configured the way it is. Particularly important is the sending of email.
NMH - Fri Sep 21 10:29:02 EDT 2001
- Delivery of an email message is a surprisingly complex task. The mail delivery software must discover which one or two of millions of host machines on the internet is willing to accept email for a particular address. At any given time, those one or two machines might be temporarily unable to accept the message, due to local or remote problems. Therefore, the delivery software must be able to save the message and repeatedly retry the delivery. Delivery failures must ultimately result in a diagnostic being sent back to the original sender -- sometimes after hours or days.
- Very few email clients, such as Outlook Express, or Netscape -- the software that a user directly interacts with to send a message -- are able to deal with the complexities of mail delivery. Instead, they are almost always configured to use a Mail Transfer Agent (MTA) on a server that is permanently connected to the Internet and that is always on and available. Email clients forward the message to the MTA and let it deal with the complexities of delivery.
- MTA's are often called 'SMTP Servers', because SMTP (Simple Message Transfer Protocol) is the protocol used to transfer email messages from one machine to another. The names of common software used as SMTP servers are 'sendmail', 'exim', 'qmail' and a few others (including MS Exchange Server in MTA mode).
Email Relaying
- Relaying is the act of an MTA accepting a message from a person's email client software and forwarding that message on to its final destination (or, at least, as close as possible to its final destination - sometimes a message as to be relayed in two or more 'hops').
- When an MTA allows anyone to relay messages to anyone else, it quickly becomes known to spammers. These low-lifes then use that MTA to send out their stupid messages to hundreds or thousands or hundreds of thoussands of people, annoying most of them. These MTAs are then called ``open relays''.
- If an internet provider, like DocuWeb, becomes known as having open relays, the addresses of these MTAs are placed in ``black lists'', and legitimate sites around the internet start to refuse email from these MTAs. This is bad for our clients. DocuWeb cannot afford to be known as having open relays; usage of our MTAs must be tightly restricted.
- Restriction cannot be made on the basis of the email address of the sender. Just because you say your email address is 'joe@domain.com', and both 'joe' and 'domain.com' are known and trusted clients of ours does not mean we can allow you to relay email through our MTAs. There is really no foolproof way to check it, and spammers can trivially forge supposedly trusted email addresses into the bodies of their 'messages'.
Allowing Relaying for Our Clients Only
- There are only two reliable ways of restricting relay access to only those we know and like -- by IP address of the user's client machine, and by authentication (providing a name and password that we assign to you) before sending the message.
Allowing Known IP Addresses
- DocuWeb has traditionally used the former method; we have tables containing the IP addresses of machines that are allowed to relay messages through our MTAs. We update those tables as the need arises. This works adequately well for machines that stay in one location and whose IP addresses are predictable for long periods of time. It does not work very well for laptops that are transported around the country and connected via dialup from many different locations.
- If you have set one of our MTAs (typically, mail.docuweb.ca) as your SMTP server, and if you try to send a message to an address that does not belong to a DocuWeb client, and if we have not specifically allowed your client to use us as a relay, then your message will almost immediately be returned to you as undeliverable. The error message will vary, but it will usually contain some variation of the phrase ''relaying denied'', When this happens, you should contact us so that we can enable relaying for you.
- A fine point: Actually, you can always use our relays to send a message to us (or to one of our clients), without special permissions. Technically, if either the sender machine or the receiving address is 'local' to DSocuWeb, then relaying is permitted without restriction. This is not a serious security hole for spamming, as the possible audience is very small.
Authenticated SMTP (User ID and Password)
- DocuWeb has recently implemented authenticated SMTP. This is mainly of interest to people with portable computers and who use them to send mail from a variety of locations, using a variety of internet providers. These people will be able to use our SMTP servers from wherever they are, and will not have to reconfigure their mail clients with each move.
- Basically, you tell your mail client to use authenticated SMTP, and then use the same user name and password that you use to read your email though POP mail, IMAP, or through http://webmail.docuweb.ca/.
- See the configuration instructions.