Educause Security Discussion mailing list archives
Re: Does anyone know how Verizon's outbound, external mail (port 587) is going to work?
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Fri, 25 Sep 2009 10:41:23 -0400
On Thu, 24 Sep 2009 08:17:15 EDT, Peter Charbonneau said:
I am wondering exactly how this is going to work. Do we punch holes in our firewalls to allow tcp port 587 inbound to our mail networks,
Yes, you should have been expecting needing to allow your users to use port 587 to submit to your mailservers for *years* now. The RFCs: 2476 Message Submission. R. Gellens, J. Klensin. December 1998. (Format: TXT=30050 bytes) (Obsoleted by RFC4409) (Status: PROPOSED STANDARD) 4409 Message Submission for Mail. R. Gellens, J. Klensin. April 2006. (Format: TXT=34911 bytes) (Obsoletes RFC2476) (Status: DRAFT STANDARD) It's been coming for a decade now... The general framework is this: 1) If an end user has an e-mail address 'fred () foo bar', their PC/whatever composes the e-mail, and submits it over an authenticated connection to foo.bar's mail server on port 587. 2) foo.bar's mail server then contacts other mailservers as needed and forwards the mail on port 25. This provides several benefits: 1) ISPs can block outbound port 25 to reduce spam from zombied user machines. (Yes, fred () foo bar can still be zombied, and can still steal fred's credentials and send it through foo.bar's mail servers - but it's presumed that the guys running those mail servers will notice when fred sends 100,000 pieces of e-mail and do something reasonable about it...) 1a) This also makes it easier to run block-lists of end-user address ranges and reputation services for mail servers (since there's a lot fewer mail servers than user PCs).... 2) The mailserver catching the mail on port 587 then *knows* that it's an initial submission of mail, and can do a bunch of cleanups (fix any missing or not-fully-qualified hostnames, Date: headers, etc) that it couldn't do if the mail might be from another mailserver.
Attachment:
_bin
Description:
Current thread:
- Does anyone know how Verizon's outbound, external mail (port 587) is going to work? Peter Charbonneau (Sep 24)
- <Possible follow-ups>
- Re: Does anyone know how Verizon's outbound, external mail (port 587) is going to work? Raw, Randy (Sep 24)
- Re: Does anyone know how Verizon's outbound, external mail (port 587) is going to work? Ken Connelly (Sep 24)
- Re: Does anyone know how Verizon's outbound, external mail (port 587) is going to work? Brad Judy (Sep 24)
- Re: Does anyone know how Verizon's outbound, external mail (port 587) is going to work? Don M. Blumenthal (Sep 24)
- Re: Does anyone know how Verizon's outbound, external mail (port 587) is going to work? Gary Dobbins (Sep 24)
- Re: Does anyone know how Verizon's outbound, external mail (port 587) is going to work? Doty, Timothy T. (Sep 24)
- Re: Does anyone know how Verizon's outbound, external mail (port 587) is going to work? Derek Diget (Sep 24)
- Re: Does anyone know how Verizon's outbound, external mail (port 587) is going to work? Dennis Meharchand (Sep 24)
- Re: Does anyone know how Verizon's outbound, external mail (port 587) is going to work? Derek Diget (Sep 24)
- Re: Does anyone know how Verizon's outbound, external mail (port 587) is going to work? Valdis Kletnieks (Sep 25)
- Re: Does anyone know how Verizon's outbound, external mail (port 587) is going to work? Jesse Thompson (Sep 25)