Service Announcements
  • All of our services are operating normally.
Check Network Health

Phasing Out of the "MAIL-FROM" Authorisation Scheme

Archived This content has been archived and is no longer actively maintained.

Contents

1. What is going on with my maintainer?

a. Who will be affected?
b. What is happening and why?
c. Migration timeline

2. What must I do to continue using my maintainer?

3. Details

a. Weaknesses in "MAIL-FROM"
b. Community process
c. Other alternatives
d. Links for more information

1. What is going on with my maintainer?

a. Who will be affected?

You will be affected by the this change if the following applies to you:

  • You are the "owner" of a maintainer (i.e. mntner) object. That is, you are authorised to modify the maintainer object.
  • Your maintainer contains an "auth:" attribute with a "MAIL-FROM" tag.

If these criteria apply to you, please read further.

b. What is happening and why?

The RIPE Database will no longer allow you to authenticate (identify) yourself when you make updates using your e-mail address. It is easy to fake an e-mail address. Therefore this system of authentication provides no effective security. For this reason the Database Working Group of the RIPE Community decided to remove this authentication scheme.

Maintainers that use e-mail authentication, which is specified by using MAIL-FROM for the "auth:" attribute, must choose another means of authentication.

c. Migration timeline

Use of "MAIL-FROM" is phased out in four steps on the following dates:

Phase 1: 16 May 2002 - 12 June 2002
Notifications are sent to the owners of the maintainers in question. Potential owners are contacted using e-mail addresses listed in "mnt-nfy:", "upd-to:" attributes of the mntner objects and in the the "admin-c:" and "tech-c:" contacts.
Phase 2: 13 June 2002 - 10 July 2002
When updating maintainers, the new version must not contain "MAIL-FROM auth:" attributes, otherwise this will be reported as a syntax error.  This means that you cannot create any new "MAIL-FROM auth:" attributes, either in new or existing maintainers.
Phase 3: 11 July 2002 - 7 August 2002
You can no longer use e-mail authentication.  This means that even if you have a "MAIL-FROM auth:" that was present before the transition, it will no longer work. Maintainers with only MAIL-FROM will no longer work at all.
Phase 4: 8 August 2002
Maintainers with "auth:" attributes using "MAIL-FROM" will have those attributes removed. This is a clean-up step.

2. What must I do to continue using my maintainer?

If your maintainer already has some other form of authentication, for example CRYPT-PW or PGPKEY, then you can continue to use those methods.  However, we encourage you to remove or replace "MAIL-FROM auth:" attributes with a stronger authentication scheme.  You can remove the "MAIL-FROM auth:" attributes until the final phase (Phase 4) when this will be done automatically.

If your maintainer only has "MAIL-FROM" authentication, then you need to pick a new authentication method. You can do this until 11 July 2002, when Phase 3 starts.  The easiest solution is to use the MD5-PW scheme. To use MD5-PW, do the following:

1. Pick a passphrase. Some advice on choosing a good passphrase may be found here.

E.g. "@ v3ri $3>|rit P@55Frais" has the mnemonic "a very secret passphrase", is relatively long and contains a mix of non-alphabetic characters.

2. Go to the Crypt CGI Interface and convert the password to MD5-PW.

E.g. "@ v3ri $3>|rit P@55Frais" converts to "$1$HaKpJ.7L$bMelWa6qPZJn9ZTn7dphr/". The encrypted password is not always the same for the same starting password.

3. Get a copy of your maintainer from the RIPE Database.

E.g. A maintainer might look like this:
mntner:       EXAMPLE-MNT
descr: Sample maintainer for example.
admin-c: SWK1-RIPE
tech-c: RD132-RIPE
upd-to: ripe-dbm _at_ ripe _dot_ net
mnt-nfy: ripe-dbm _at_ ripe _dot_ net
auth: MAIL-FROM shane _at_ ripe _dot_ net
notify: ripe-dbm _at_ ripe _dot_ net
mnt-by: EXAMPLE-MNT
referral-by: RIPE-DBM-MNT
changed: ripe-dbm _at_ ripe _dot_ net 20020508
source: RIPE

4. Delete any "auth:" lines that have "MAIL-FROM".

5. Add a line that starts with "auth: MD5-PW", followed by a space and the encrypted password from step #2.

E.g. The previous maintainer would become:

mntner:       EXAMPLE-MNT
descr: Sample maintainer for example.
admin-c: SWK1-RIPE
tech-c: RD132-RIPE
upd-to: ripe-dbm _at_ ripe _dot_ net
mnt-nfy: ripe-dbm _at_ ripe _dot_ net
auth: MD5-PW $1$HaKpJ.7L$bMelWa6qPZJn9ZTn7dphr/
notify: ripe-dbm _at_ ripe _dot_ net
mnt-by: EXAMPLE-MNT
referral-by: RIPE-DBM-MNT
changed: ripe-dbm _at_ ripe _dot_ net 20020508
source: RIPE

6. Send the maintainer as a plain text e-mail to <auto-dbm _at_ ripe _dot_ net>.  You must send it from one of the e-mail addresses specified in the old "MAIL-FROM" line.

You will receive an automatic reply from the database when the update is complete.  If successful, you can then use the password authentication.  To do this, put "password:" on the beginning of a line in the body of the message, followed by your clear-text, non-encrypted password.

E.g. To create a person object with the above maintainer, you would send an e-mail with the following body:

password: @ v3ri $3>|rit P@55Frais

person: Adam Smith
address: RIPE NCC
address: Singel 258
address: 1016 AB Amsterdam
address: The Netherlands
phone: +31 20 535 4444
fax-no: +31 20 545 4445
e-mail: adam-example _at_ ripe _dot_ net
nic-hdl: AUTO-1
notify: adam-example _at_ ripe _dot_ net
mnt-by: EXAMPLE-MNT
changed: ripe-dbm _at_ ripe _dot_ net
source: RIPE

3. Details

a. Weaknesses in "MAIL-FROM"

"MAIL-FROM" has long been considered insecure.  There is no way for the database to verify that the "From:" e-mail address listed in an e-mail is correct.  Because of this, a malicious user can use any "From:" address in an e-mail and bypass the protection.

Since "MAIL-FROM" seems like it offers protection, it is in some ways worse than no protection at all, because users may think that their data is more secure than it actually is.

b. Community process

In the Database Working Group at the RIPE 41 Meeting, it was proposed that "MAIL-FROM" be deprecated, due to the well-known weaknesses explained above.

A detailed plan was presented on the mailing list and discussed on-line.

At the RIPE 42 Meeting, a timeline was proposed and then presented on the database mailing list as well as the LIR mailing list.

c. Other alternatives

The MD5-PW scheme requires that passwords be send unencrypted through e-mail.  While more secure than "MAIL-FROM", it is possible for this password to be intercepted by unauthorised users.  If more security is desired, the PGPKEY scheme is recommended.  Please see the Database FAQ for more information.

d. Links for more information

Useful documentation:

If you have any questions, please contact the RIPE Database Administration <ripe-dbm _at_ ripe _dot_ net>.