nanog mailing list archives

Re: Why do so few mail providers support Port 587?

From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Mon, 28 Feb 2005 13:40:38 -0500


In message <Pine.GSO.4.58.0502252320550.6102 () clifden donelan com>, Sean Donelan
 writes:

Requiring end-user computers to use authenticated Port 587 and blocking
end-user computers access to port 25 has several advantages:

      2. Lets the authenticated mail server conduct additional
anti-virus checks on outgoing mail even if the end-user's computer was
compromised or out-of-date virus definitions.
      3. Separates authenticate mail submission (port 587) from other
mail protocols (25, 110, 143, etc) simplfying network controls (no
deep-packet inspection) for end-user computers.  Eliminates some of the
existing problems with trying to do transparent proxying of port 25 from
end-user computers.


What these two boil down it is a much simpler mail system architecture, 
which in turn translates to a more secure mail system and an 
easier-to-administer one.

Consider the control flow if you're trying to use port 25 for 
everything:

        Send a 220

        If you see an EHLO, advertise that you support STARTTLS

        If you receive a STARTTLS and another EHLO, advertise that
        you support AUTH -- you don't want to do authentication
        over insecure connections, especially if your goal is to
        support roaming wireless users.

        Accept inbound email.  Check if the user was authenticated.
        If so, permit relaying; also do rate checks.  If not, don't
        permit relaying, but do run anti-spam software.

        Do virus checks.  If authenticated, notify the sender that
        either their machine is infested with *something* or their
        credentials have been stolen.  If unauthenticated, discard;
        it's probably a joe job.

The point is that authenticated status has to be retained and checked
frequently.

If you're using 587, the subscriber flow is like this:

        Send a 220

        Don't accept anything until you see STARTTLS

        Don't do anything until you see an AUTH

        Accept inbound mail, do rate checks and virus checks, and
        bounce accordingly

For port 25:

        Send a 220

        Optionally permit (but don't require) STARTTLS

        Accept inbound mail.  Do virus and spam checks, and drop
        as needed.  Don't permit relaying

Both are simpler; neither requires retained global state.

Current thread:

Re: Why do so few mail providers support Port 587? Michael . Dillon (Feb 28)
- <Possible follow-ups>
- RE: Why do so few mail providers support Port 587? Michael . Dillon (Feb 28)
  - Is there anything more to say on this subject? (was RE: Why do so few mail providers support Port 587?) Steve Gibbard (Mar 01)
- Re: Why do so few mail providers support Port 587? Steven M. Bellovin (Feb 28)
- Re: Why do so few mail providers support Port 587? Nils Ketelsen (Feb 28)
  - Re: Why do so few mail providers support Port 587? Valdis . Kletnieks (Feb 28)
    - Re: Why do so few mail providers support Port 587? Nils Ketelsen (Mar 01)
    - Re: Why do so few mail providers support Port 587? Frank Louwers (Mar 01)
    - Re: Why do so few mail providers support Port 587? Nils Ketelsen (Mar 01)
    - Re: Why do so few mail providers support Port 587? Valdis . Kletnieks (Mar 01)
    - Re: Why do so few mail providers support Port 587? Valdis . Kletnieks (Mar 01)
    - Re: Why do so few mail providers support Port 587? Michael G (Mar 01)
    - Re: Why do so few mail providers support Port 587? Jason Frisvold (Mar 01)
    - Re: Why do so few mail providers support Port 587? David Lesher (Mar 01)

(Thread continues...)