Re: Outbound SMTP

[Roger Safian <r-safian () NORTHWESTERN EDU>]

At 11:51 AM 4/25/2008, Michael Van Norman put fingers to keyboard and wrote:
> >  Joe, you have a fair point, but you are making it a bit extreme. I
> > would agree, in some contexts, when it comes to NAC, for example. Yet,
> > the suggestion that blocking port 25 outbound is problematic for
> > usability isn't very sustainable.
>
> A researcher on your campus is developing an application that uses
> e-mail and incorporates its own MTA.  A port 25 block breaks that.  That
> to me is a problem with network usability, not an extreme position.

Are you suggesting that a filter is always binary?  On for the entire
network or off?  If so, then perhaps that's extreme, but, as we all
know, exceptions can be made.  Fortunately these types of exceptions
are not that difficult to deal with.

This brings me to one of my concerns.  Why do we have to engineer our
entire networks in one fashion?  How about a research network, where
port 25 was open, and an administrative network where it's not?  If
every time I say lets do X, you respond with but so and so needs X,
we make no progress.  How about we do X, where practical, and still
allow so and so the use of an open network?  If network security
is going to make significant strides we need to quit catering
to the least common denominator.




--
Roger A. Safian
r-safian () northwestern edu (email) public key available on many key servers.
(847) 491-4058   (voice)
(847) 467-6500   (Fax) "You're never too old to have a great childhood!"