Re: Port 25 blocks

[Dave Koontz <dkoontz () MBC EDU>]

While a smaller college, we had absolutely no backlash when we began
blocking port 25 inbound and outbound during the last academic year.

What we discovered was that most of our users would use their ISP's
"WebMail" from on campus.  There were only a few that wanted to use a
traditional client.  In those cases, they were usually able to use Secure
SMTP with authnetication (but this of course depends on the ISP).

On the flip side, those users who configured clients to send their ISP email
through our campus server as a relay, often times were getting flagged as
SPAM.  Many ISP's in our area have implemented SPF (Sender Policy
Framework).  Since the IP of our mail server does not match the ISP's SPF
records, it is often classified as SPAM by the receiving server.

---
Dave Koontz
Associate Director CIS
Mary Baldwin College
Staunton, VA 24401

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim Barlow
Sent: Wednesday, January 12, 2005 4:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Port 25 blocks

Our site currently blocks port 25 inbound to all hosts except our mail
servers.  We are now looking at blocking outbound port 25 as well.
The reason for this is to control any internal host that might be infected
with a virus and starts sending out SPAM or other virus email which wouldn't
pass through our mail server and get caught.
This could also serve to alert us when an internal host is infected with
something.

The problem with this is that there are a number of people who have machines
(laptops primarily) configured to do SMTP with their home cable modem/DSL
company.  They don't want to have to have two configurations to deal with
(one for work, one for home) and we would like to come up with a solution
that would affect the least amount of people.  We could have them use our
SMTP servers all the time, but they are then required to POP before SMTP in
order for our email servers to relay mail from an outside IP (just FYI, we
do require non-cleartext POP auths :-).
This will work for some, but there are other cases where it won't.
Another possible solution would be for the routers to re-write headers for
anything outbound to port 25 to send it through the mail server.  However, I
don't know if this has been done, or currently is being done anywhere.

So we are wondering if anyone else currently blocks port 25 outbound and
what they did to solve some of these problems.

Thanks in advance.


--
James J. Barlow   <jbarlow () ncsa uiuc edu>
Head of Security Operations and Incident Response
National Center for Supercomputing Applications    Voice : (217)244-6403
605 East Springfield Avenue   Champaign, IL 61820   Cell : (217)840-0601
http://www.ncsa.uiuc.edu/~jbarlow                    Fax : (217)244-1987

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.