SMTP proxy
SMTP proxies are specialized mail transfer agents (MTAs) that, similar to other types of proxy servers, pass SMTP sessions through to other MTAs without using the store-and-forward approach of a typical MTA. When an SMTP proxy receives a connection, it initiates another SMTP session to a destination MTA. Any errors or status information from the destination MTA will be passed back to the sending MTA through the proxy.[1]
Uses
SMTP proxies are commonly used to process and filter inbound and outbound email traffic.[2]
Inbound SMTP proxying
SMTP proxies often serve as the initial, network-facing layer in an email system, processing SMTP connections from clients before forwarding data to a second layer of mail servers.[3] SMTP proxies often implement the first and/or only layer of defence in an inbound anti-spam filtering system, where they can analyze messages using a spam content filter or antivirus program, block or rate limit connections using DNS blacklists and reputation systems, and load-balance SMTP connections to prevent overloading of mail servers.
Advantages of SMTP proxying
Because SMTP proxies do not store messages like a mail transfer agent (MTA) does, they can reject SMTP connections or message content in real-time, doing away with the need for out-of-band non-delivery reports (NDRs), which are the cause of backscatter email, a serious problem in the Internet email system.
Certain SMTP proxies implement TCP connection management (otherwise known as flow control), which can help to reduce damage to downstream mail servers resulting from spikes in TCP traffic from malicious SMTP clients. TCP connection management in the context of SMTP typically involves bandwidth throttling and/or introducing delays in SMTP command responses (this is also known as tarpitting). When slowed down, certain malicious sources of SMTP traffic such as spambots tend to give up rather than continuing to deliver a full email message.[4]
Network tarpitting can be challenging to implement within an email server, since each SMTP connection is processed more slowly than normal, often holding up precious system resources such as memory and CPU. Because SMTP proxies can be implemented using lighter-weight programming techniques such as asynchronous I/O (for example nginx, Node.js, Netty and libevent), thousands of connections can be juggled using the same resources as a much smaller number of connections in the context of a full-blown store-and-forward email server.
Outbound SMTP proxying
SMTP proxies are sometimes inserted between sending mail servers on a local network, and their receiving counterparts on the Internet. SMTP proxies are often used in this context in order to filter outgoing spam; however, other applications such as DomainKeys Identified Mail (DKIM) signing also exist[5]
Types of SMTP proxies
SMTP proxies come in a few fundamental flavors:
- Synchronous - each SMTP client connection causes the proxy to establish a single connection with a downstream mail server. See the open-source smtp-gated project for an example of a synchronous SMTP proxy.
- Multiplexing - the proxy establishes downstream connections to the mail server only as needed, and by intelligently juggling a pool of SMTP connections; this juggling protects the downstream mail server from excessive connection concurrency.[6]
- Transparent - the proxy is inserted into the network between clients and servers, masquerading itself in such a way that the client and server believe they are talking directly to each other, even though there is a proxy in the middle. The commercial "MailChannels Outbound" product from MailChannels implements a transparent proxy.[7] Policy-based routing may be used to route SMTP traffic through a transparent SMTP proxy.
See also
References
- Frisch, Æleen (2002). Essential System Administration: Help for UNIX System Administrators. O'Reilly. ISBN 0596003439.
- Lammle, Todd (2012-01-09). CompTIA Network+ Study Guide Authorized Courseware: Exam N10-005. John Wiley & Sons. ISBN 978-1-118-23886-8.
- Pohlmann, Norbert; Crothers, Tim (2004). Firewall Architecture for the Enterprise. Laxmi Publications Pvt Limited. ISBN 978-81-7008-349-8.
- Article discussing an implementation of SMTP tar-pitting. Fetched from the Web Hosting Industry Review web site on May 7, 2012.
- Setting up the outbound proxy with Postfix Fetched on May 7, 2012.
- Developing High Performance Asynchronous IO Applications. Fetched May 7, 2012.
- MailChannels Outbound Product Information