nanog mailing list archives
Re: Outgoing SMTP Servers
From: Owen DeLong <owen () delong com>
Date: Tue, 25 Oct 2011 09:55:58 -0700
On Oct 25, 2011, at 8:46 AM, William Herrin wrote:
On Tue, Oct 25, 2011 at 5:49 AM, Owen DeLong <owen () delong com> wrote:On Oct 24, 2011, at 11:13 PM, William Herrin wrote:Blocking outbound TCP SYN packets on port 25 from non-servers is considered a BEST PRACTICE to avoid being the source of snowshoe and botnet spam. Blocking it from legitimate mail servers... does not make sense. The SMTP submission port (TCP 587) is authenticated and should generally not be blocked.Interesting... Most people I know run the same policy on 25 and 587 these days...Owen, Perhaps you misunderstand the issue. The issue is not relaying mail through someone else's mail server, it's delivering mail to a mailbox served by that mail server. 99.99 etc. percent of the time when that's done directly from a IP address that's supposed to be user PC it's some form of spam. Hence the best practice within the email community is to ask the networking community to block those packets outright. And its why residential ISPs who fail to tend to find their way into Spamcop, Spamhaus and others. Facilitating that sort of network filtering is precisely why authenticated SMTP relaying was assigned port 587 instead of leaving it on port 25.
Wouldn't the right place for that form of rejection to occur be at the mail server in question? Precluding users doing legitimate things just because there are users who do illegitimate things is damaging to the internet and I will continue to route around it. I reject lots of residential connections to my port 25 services every day. However, senders who authenticate legitimately or legitimate sources of email (and yes, some spam sources too) connect just fine.
On Tue, Oct 25, 2011 at 11:28 AM, Carlos Martinez-Cagnazzo <carlosm3011 () gmail com> wrote:I'm curious how a traveller is supposed to get SMTP relay service when, well, travelling. I am not really sure if I want a VPN for sending a simple email.That's what the SMTP submission port (TCP 587) is intended for and it's why outbound 587 should not be blocked. In fact, blocking 587 can cause problems with folks who use the Sender Policy Framework to restrict the servers allowed to pass mail from a particular domain outward.
So the spammers move to 587 and problem solved. Owen
Current thread:
- Re: Outgoing SMTP Servers, (continued)
- Re: Outgoing SMTP Servers Henry Yen (Oct 26)
- Re: Outgoing SMTP Servers Graham Beneke (Oct 25)
- Re: Outgoing SMTP Servers Ricky Beam (Oct 26)
- Re: Outgoing SMTP Servers Mark Andrews (Oct 26)
- Re: Outgoing SMTP Servers Leigh Porter (Oct 26)
- Re: Outgoing SMTP Servers Mark Foster (Oct 26)
- Re: Outgoing SMTP Servers Mark Andrews (Oct 26)
- Re: Outgoing SMTP Servers Bjørn Mork (Oct 27)
- Re: Outgoing SMTP Servers Jay Ashworth (Oct 26)
- Re: Outgoing SMTP Servers William Herrin (Oct 25)
- Re: Outgoing SMTP Servers Owen DeLong (Oct 25)
- RE: Outgoing SMTP Servers Matt McBride (Oct 25)
- Re: Outgoing SMTP Servers Ricky Beam (Oct 25)
- Re: Outgoing SMTP Servers Douglas Otis (Oct 25)
- Re: Outgoing SMTP Servers Scott Howard (Oct 26)
- Re: Outgoing SMTP Servers Owen DeLong (Oct 26)
- Re: Outgoing SMTP Servers Bjørn Mork (Oct 27)
- RE: Outgoing SMTP Servers Brian Johnson (Oct 27)
- Re: Outgoing SMTP Servers Valdis . Kletnieks (Oct 27)
- Re: Outgoing SMTP Servers Robert Bonomi (Oct 27)
- RE: Outgoing SMTP Servers Brian Johnson (Oct 27)