SMTP-AUTH

One of the main shortcomings in the original SMTP was a security lack: no facility of checking user authentication existed.
In order to deal with this lack, the extension for SMTP, SMTP-AUTH was defined.
(RFC 2554)

Usage of SMTP-AUTH

• SMTP-AUTH is a facility that provides access control. It can be used to allow legal users to send and receive mail, and deny these options from illegal users. In spite of that, spoofing is still possible with SMTP-AUTH.
• SMTP-AUTH can also be used by a mail server to indicate another mail server about a sender that was authenticated. This requires the receiving mail server to believe the sending one, and therefore isn't common over the Internet. (a receiving mail server cannot know if the sender is a spammer or not)

How SMTP-AUTH works
Another step is defined, where client logs in the mail server as part of the sending process. Servers that support SMTP-AUTH can require a client to use this additional step, for insurance of the authentication of their identity.

Weakness of SMTP-AUTH
Legal users can send messages from IP addresses where illegal users cannot. Thus, every username and password becomes a key for making the system insecure. Attackers can guess common usernames and passwords and attack SMTP-AUTH mail servers. Way of dealing with this problem is usage of strong passwords.