MTA(Mail Transfere Agent): A mail transfer agent is responsible for delivering email to other MTA’s. An MTA will use various delivery methods known as MDA’s “Mail Delivery Agents” to relay the messages to a users inbox.
MDA(Mail Delivery Agent): Ports like IMAP, Subission, POP3, and confusingly SMTP are all mail delivery agent ports used by a client to send and receive email. When you send or receive an email you are using a deliver agent. This delivery agent then uses the MTA to send and receive emails from other MTA’s.
MUA(Mail User Agent): This is the client software used to read, send and receive emails. The MUA has no direct communication MTA’s even though some providers allow you to send emails over port 25.
Domain configuration
The domain name schema can be setup in many ways. For large enterprise its usually good to have separate sub-domains for sections of the email system. This is not necessary but easy to manage and segments public certificates. For example; imap.example.com, smtp.example.com, pop3.example.com. These domains can be encrypted with their own certificates where as running everything from one domain means a single certificate is used on all services in the email server.
SPF(Sender Policy Framework): Is a TXT rule “v=spf1 mx ip4:123.123.123.123 ip4:123.123.123.123 include:third-party-smtp-relay.com ~all” this will usually be checked against the RDNS of the senders IP and this should match the client EHLO.
DKIM (DomainKeys Identified Mail): This uses Asymmetric cryptography by generating a public and private key pair that is stored as a TXT record. The public key is stored in a subdomain marked as a “selector” contained in the DKIM header. A body hash is created and signed by the senders private key. The body hash is then sent with the signature and selector to a receiving MTA. The Receiving MTA first uses the selector and a DNS lookup to find the public key. This key is then used to calculate the body hash to confirm the email was signed by the private key. If the email was tampered with or was not sent by a server with the private key, this will result in a failure with DKIM verification.
DMARC(Domain-based Message Authentication Reporting & Conformance): Is a TXT record in a subdomain of the SMTP sender domain _dmarc. This TXT record gives instructions to other MTA’s on how to handle failures in the DKIM and SPF checks. In this record is an email address to report email activity. MTA’s use this email to send aggregate reports daily of what emails were sent from the users domain.
Different email protocols
SMTP (Simple Mail Transfer Protocol): Is a protocol used by MTA’s to relay messages back and forward.
IMAP (Internet Messaging Access Protocol): IMAP is used for email access on multiple devices.
POP3 (Post Office Protocol): This method can download messages to a singe device and is intended for situations where emails don’t need to be accessed on multiple devices.
RDNS and Encryption
RDNS(Revers DNS): revers DNS is used by MTA’s as part of normal spam checks. Its called revers DNS because a domain is getting resolved from the IP. A RDNS is used in mail for identifying the owner of the IP address. To combat spam, an MTA must have complete control over the IP address and dedicated to mail delivery. This prevents spammers from connecting a computer to any internet connection and sending mail. The RDNS must be the same as the MTA’s sender domain, not using RDNS properly could result in emails being rejected.
STARTTLS vs Implicit SSL/TLS
To encrypt the emails sent and received by an email server there are two methods of encrypting the message.
STARTTLS is a message sent by a receiving server to upgrade the connection to an encryption. This was invented to allow optional encryption so MTA’s not capable of encryptions could still send messages.
Implicit SSL/TLS is what it describes, in that a port is dedicated to encrypted and is not optional. A client not capable of encryption wont be able to use the port.
These functions make up the fundaments of an email server. If you have any question of need help with email related issues, head over to the contacts page and send a message.