Educause Security Discussion mailing list archives
Re: Port 25 blocks
From: Rob Tanner <rtanner () LINFIELD EDU>
Date: Wed, 12 Jan 2005 13:56:06 -0800
--On Wednesday, January 12, 2005 03:01:23 PM -0600 Jim Barlow <jbarlow () NCSA UIUC EDU> wrote:
Our site currently blocks port 25 inbound to all hosts except our mail servers. We are now looking at blocking outbound port 25 as well. The reason for this is to control any internal host that might be infected with a virus and starts sending out SPAM or other virus email which wouldn't pass through our mail server and get caught. This could also serve to alert us when an internal host is infected with something. The problem with this is that there are a number of people who have machines (laptops primarily) configured to do SMTP with their home cable modem/DSL company. They don't want to have to have two configurations to deal with (one for work, one for home) and we would like to come up with a solution that would affect the least amount of people. We could have them use our SMTP servers all the time, but they are then required to POP before SMTP in order for our email servers to relay mail from an outside IP (just FYI, we do require non-cleartext POP auths :-). This will work for some, but there are other cases where it won't. Another possible solution would be for the routers to re-write headers for anything outbound to port 25 to send it through the mail server. However, I don't know if this has been done, or currently is being done anywhere. So we are wondering if anyone else currently blocks port 25 outbound and what they did to solve some of these problems. Thanks in advance.
At Linfield, we use AUTH-SMTP which is a functionality both sendmail and postfix support. The authentication is done via the SMTP handshake. The down side is that it requires a client to support it. Our client of choice, which we distribute for Windows, Mac and Linux users is Mulberry, and Mulberry does support it AUTH-SMTP. AUTH-SMTP works well for us on two accounts, not just for those who take their laptops home with them, but also for when they travel. Another possibility: home many different cable modem/DSL providers are there in your area. Perhaps you can just leave port 25 access open to just those ip addresses. -- Rob Tanner UNIX Services Manager Linfield College, McMinnville OR ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Port 25 blocks Jim Barlow (Jan 12)
- <Possible follow-ups>
- Re: Port 25 blocks Justin Azoff (Jan 12)
- Re: Port 25 blocks Gary Dobbins (Jan 12)
- Re: Port 25 blocks Rob Tanner (Jan 12)
- Re: Port 25 blocks Dave Koontz (Jan 12)
- Re: Port 25 blocks Jon Mitchiner (Jan 12)
- Re: Port 25 blocks Chris Edwards (Jan 12)