Educause Security Discussion mailing list archives

Re: Port 25 blocks

From: Rob Tanner <rtanner () LINFIELD EDU>
Date: Wed, 12 Jan 2005 13:56:06 -0800

--On Wednesday, January 12, 2005 03:01:23 PM -0600 Jim Barlow
<jbarlow () NCSA UIUC EDU> wrote:

Our site currently blocks port 25 inbound to all hosts except our mail
servers.  We are now looking at blocking outbound port 25 as well.
The reason for this is to control any internal host that might
be infected with a virus and starts sending out SPAM or other virus
email which wouldn't pass through our mail server and get caught.
This could also serve to alert us when an internal host is infected with
something.

The problem with this is that there are a number of people who have
machines (laptops primarily) configured to do SMTP with their home cable
modem/DSL company.  They don't want to have to have two configurations
to deal with (one for work, one for home) and we would like to come up
with a solution that would affect the least amount of people.  We could
have them use our SMTP servers all the time, but they are then required
to POP before SMTP in order for our email servers to relay mail from
an outside IP (just FYI, we do require non-cleartext POP auths :-).
This will work for some, but there are other cases where it won't.
Another possible solution would be for the routers to re-write headers for
anything outbound to port 25 to send it through the mail server.  However,
I don't know if this has been done, or currently is being done anywhere.

So we are wondering if anyone else currently blocks port 25 outbound
and what they did to solve some of these problems.

Thanks in advance.


At Linfield, we use AUTH-SMTP which is a functionality both sendmail and
postfix support.  The authentication is done via the SMTP handshake.  The
down side is that it requires a client to support it.  Our client of choice,
which we distribute for Windows, Mac and Linux users is Mulberry, and
Mulberry does support it AUTH-SMTP.  AUTH-SMTP works well for us on two
accounts, not just for those who take their laptops home with them, but also
for when they travel.

Another possibility: home many different cable modem/DSL providers are there
in your area.  Perhaps you can just leave port 25 access open to just those
ip addresses.

--
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville OR

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Port 25 blocks Jim Barlow (Jan 12)
- <Possible follow-ups>
- Re: Port 25 blocks Justin Azoff (Jan 12)
- Re: Port 25 blocks Gary Dobbins (Jan 12)
- Re: Port 25 blocks Rob Tanner (Jan 12)
- Re: Port 25 blocks Dave Koontz (Jan 12)
- Re: Port 25 blocks Jon Mitchiner (Jan 12)
- Re: Port 25 blocks Chris Edwards (Jan 12)