Re: Port 25 blocks

[Chris Edwards <chris () ENG GLA AC UK>]

On Wed, 12 Jan 2005, Jim Barlow wrote:

| Our site currently blocks port 25 inbound to all hosts except our mail
| servers.  We are now looking at blocking outbound port 25 as well.
| The reason for this is to control any internal host that might
| be infected with a virus and starts sending out SPAM or other virus
| email which wouldn't pass through our mail server and get caught.

Absolutely - you can have the world's best filtering on your mail server,
but it doesn't help much where the viruses spam out direct on port 25...

| The problem with this is that there are a number of people who have
| machines (laptops primarily) configured to do SMTP with their home cable
| modem/DSL company.  They don't want to have to have two configurations
| to deal with (one for work, one for home) and we would like to come up
| with a solution

[...]

| So we are wondering if anyone else currently blocks port 25 outbound
| and what they did to solve some of these problems.

Except for registered mail servers, we've blocked port 25 inbound since
1998 and outbound since 2003.

The world is moving to separate mail submission (client->server) from
server->server communication.  In particular, submission is rapidly moving
off port 25 onto ports 465 and/or 587, which, combined with strong
authentication and encryption means the same settings can be used from
*anywhere*.

I don't know if the "home cable modem/DSL company(s)" in question provide
such a service. But, with more and more ISPs *and* enterprises blocking
port 25 both ways, everyone has the right to expect their mail provider to
provide such a submission service.  If they aren't already doing so, they
should soon be...

See:

  http://www.ietf.org/internet-drafts/draft-hutzler-spamops-02.txt

--
Chris Edwards, Glasgow University Computing Service

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.