The AUTH Command
The AUTH command is an ESMTP command (SMTP service extension) that is used to authenticate the client to the server. The AUTH command sends the clients username and password to the e-mail server. AUTH can be combined with some other keywords as PLAIN, LOGIN, CRAM-MD5 and DIGEST-MD5 (e.g. AUTH LOGIN) to choose an authentication mechanism. The authentication mechanism chooses how to login and which level of security that should be used.
Below are the AUTH PLAIN, AUTH LOGIN and AUTH CRAM-MD5 commands/mechanisms described.
One common method to login to an SMTP server is to use the PLAIN mechanism. The example below shows how AUTH PLAIN can be used to login:
After the client has sent the AUTH PLAIN command to the server, the server responds with a 334 reply code. Then the username and password are sent from the client to the server. The username and password are combined to one string and BASE64 encoded ("dGVzdAB0ZXN0ADEyMzQ=" in the example above). Although the keyword PLAIN is used, the username and password are not sent as plain text over the Internet - they are always BASE64 encoded. If you want to read more about BASE64 encoding, you can open this Internet page.
It is also possible to send the username and password, together with the AUTH PLAIN command, as a single line. Then the whole login process can be handled this easy:
*) The AUTH PLAIN command and the username and the password are sent to the server in one single line.
The LOGIN mechanism is another common method to login to an SMTP server. The SMTP communication example below shows how AUTH LOGIN can be used to make an authenticated login to an server:
After that the AUTH LOGIN command has been sent to the server, the server asks for username and password by sending BASE64 encoded text (questions) to the client. “VXNlcm5hbWU6” is the BASE64 encoded text for the word "Username" and “UGFzc3dvcmQ6” is the BASE64 encoded text for the word "Password" in the example above. The client sends username and password also using BASE64 encoding. "adlxdkej", in the example above, is a BASE64 encoded username and "lkujsefxlj" is a BASE64 encoded password.
One drawback using the PLAIN and LOGIN authentication mechanisms is that the username and password can be decoded quite easy if somebody monitor the SMTP communication. To obtain higher security an authentication mechanism with the name CRAM-MD5 can be used instead. CRAM-MD5 combines a challenge-response authentication mechanism to exchange information and a cryptographic Message Digest 5 algorithm to encrypt important information.
The example below shows how AUTH CRAM-MD5 can be used to login to an SMTP server:
After that the AUTH CRAM-MD5 command has been sent to the server, the servers sends back an one-time BASE64 encoded "challenge" to the client (see  above). The client responds by sending a BASE64 encoded string to the server that contains a username and a 16-byte digest in hexadecimal notation (see  above).
The digest in the reply string is the output of an HMAC (Hash-based Message Authentication Code) calculation with the password as the secret key and the SMTP server's original challenge as the message. The SMTP server also calculates its own digest with its notion of the user's password, and if the client's digest and the server's digest match then authentication was successful and a 235 reply code is sent to the client.
The CRAM-MD5 authentication mechanism is more secure than the other two mechanisms described earlier because the password can not be retrieved by decoding the BASE64 encoded client response. The password is used as the key to calculate the HMAC but the password is not stored anywhere in the response. The client response is also invalid for further authentications because of the "challenge" sent from the server was an one-time "challenge" (often with a current time stamp included) and can not be re-used by somebody who monitors the SMTP communication.
RFC 4954 - SMTP Service Extension for Authentication
<< Go back to the SMTP Commands Reference page