Educause Security Discussion mailing list archives
Re: Port 25 blocks
From: Dave Koontz <dkoontz () MBC EDU>
Date: Wed, 12 Jan 2005 17:16:43 -0500
While a smaller college, we had absolutely no backlash when we began blocking port 25 inbound and outbound during the last academic year. What we discovered was that most of our users would use their ISP's "WebMail" from on campus. There were only a few that wanted to use a traditional client. In those cases, they were usually able to use Secure SMTP with authnetication (but this of course depends on the ISP). On the flip side, those users who configured clients to send their ISP email through our campus server as a relay, often times were getting flagged as SPAM. Many ISP's in our area have implemented SPF (Sender Policy Framework). Since the IP of our mail server does not match the ISP's SPF records, it is often classified as SPAM by the receiving server. --- Dave Koontz Associate Director CIS Mary Baldwin College Staunton, VA 24401 -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim Barlow Sent: Wednesday, January 12, 2005 4:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Port 25 blocks Our site currently blocks port 25 inbound to all hosts except our mail servers. We are now looking at blocking outbound port 25 as well. The reason for this is to control any internal host that might be infected with a virus and starts sending out SPAM or other virus email which wouldn't pass through our mail server and get caught. This could also serve to alert us when an internal host is infected with something. The problem with this is that there are a number of people who have machines (laptops primarily) configured to do SMTP with their home cable modem/DSL company. They don't want to have to have two configurations to deal with (one for work, one for home) and we would like to come up with a solution that would affect the least amount of people. We could have them use our SMTP servers all the time, but they are then required to POP before SMTP in order for our email servers to relay mail from an outside IP (just FYI, we do require non-cleartext POP auths :-). This will work for some, but there are other cases where it won't. Another possible solution would be for the routers to re-write headers for anything outbound to port 25 to send it through the mail server. However, I don't know if this has been done, or currently is being done anywhere. So we are wondering if anyone else currently blocks port 25 outbound and what they did to solve some of these problems. Thanks in advance. -- James J. Barlow <jbarlow () ncsa uiuc edu> Head of Security Operations and Incident Response National Center for Supercomputing Applications Voice : (217)244-6403 605 East Springfield Avenue Champaign, IL 61820 Cell : (217)840-0601 http://www.ncsa.uiuc.edu/~jbarlow Fax : (217)244-1987 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Port 25 blocks Jim Barlow (Jan 12)
- <Possible follow-ups>
- Re: Port 25 blocks Justin Azoff (Jan 12)
- Re: Port 25 blocks Gary Dobbins (Jan 12)
- Re: Port 25 blocks Rob Tanner (Jan 12)
- Re: Port 25 blocks Dave Koontz (Jan 12)
- Re: Port 25 blocks Jon Mitchiner (Jan 12)
- Re: Port 25 blocks Chris Edwards (Jan 12)