nanog mailing list archives

Re: Blocking MX query

From: Michael Thomas <mike () mtcc com>
Date: Tue, 04 Sep 2012 12:12:56 -0700

On 09/04/2012 11:55 AM, William Herrin wrote:

On Tue, Sep 4, 2012 at 12:59 PM, Michael Thomas <mike () mtcc com> wrote:

On 09/04/2012 05:05 AM, William Herrin wrote:

There are no "good" subscribers trying to send email direct to a
remote port 25 from behind a NAT. The "good" subscribers are either
using your local smart host or they're using TCP port 587 on their
remote mail server. You may safely block outbound TCP with a
destination of port 25 from behind your NAT without harming reasonable
use of your network.

Would that were true going forward. Consider a world where your
home is chock full of purpose built devices, most likely with an
embedded web browser for configuration where you have a
username/password for each. In the web world this works because
there is a hidden assumption that you can use email for user/password
reset/recovery and that it works well.

Hi Mike,

A. What device do you offer as an example of this? I haven't stumbled
across one yet. Web sites yes. Physical home devices, no.

What I *have* seen is devices that call out to a web server, you make
an account on the remote web server to configure them and then all the
normal rules about accounts on remote web servers apply.


I want to buy hardware from people, not their ill-conceived "cloud"
service that dies when there's no more business case for it and is probably
evil anyway.


B. Bad hidden assumption. Expect it to fail as more than a few cable
and DSL providers are blocking random port 25 outbound. Besides, some
folks change email accounts like they change underwear. Relying on
that email address still working a year from now is not smart.


I'm well aware of port 25 blocking. I'm saying your assumption
that there is *never* any reason for a home originating port 25
traffic is a bad one. It's never been a good one, but the collateral
damage was pretty low when NAT's are in the way. v6 will change
that, and the collateral damage will rise. Unless you can come up
with another ubiquitous out of band method for account recovery,
expect the tension -- and help desk calls -- to increase.

Mike

Current thread:

Re: Blocking MX query, (continued)
- - - Re: Blocking MX query Suresh Ramasubramanian (Sep 04)
    - Re: Blocking MX query David Barak (Sep 05)
    - Re: Blocking MX query William Herrin (Sep 04)
    - Re: Blocking MX query Jay Ashworth (Sep 04)
    - Re: Blocking MX query George Herbert (Sep 04)
    - Re: Blocking MX query Ibrahim (Sep 04)
    - Re: Blocking MX query William Herrin (Sep 04)
    - Re: Blocking MX query Jay Ashworth (Sep 04)
  - Re: Blocking MX query Michael Thomas (Sep 04)
    - Re: Blocking MX query William Herrin (Sep 04)
    - Re: Blocking MX query Michael Thomas (Sep 04)