Re: Outbound SMTP

[Michael Sinatra <michael () RANCID BERKELEY EDU>]

Jenkins, Matthew wrote:
> Randall, you are having a bad day!
>
>  
>
> Well, I have not received a single response saying “we allow outbound 
> smtp.”  I appreciate the feedback from everyone.

We allow outbound SMTP.

We do not believe in blocking ports wholesale at the border unless 
absolutely necessary and we set a high bar for what constitutes 
"absolutely necessary."  Instead, we enforce minimum standards for the 
security of hosts to prevent them from being compromised in the first 
place, we automate the process of blocking hosts and/or users on our 
wired, wireless, VPN, and even dial-up networks (including documentation 
of what's blocked and why), and we carefully monitor network traffic 
(not contents) for anomalies.  We are able to react quickly when hosts 
become compromised, but the problem of SPAMbots is still a small one for us.

I don't think that blocking ports at the border benefits too many people 
other than security officers.  It clearly imposes costs on campus 
researchers.  UC Berkeley is where sendmail, the first SMTP MTA (and 
still the most popular) was developed.  The security record of that 
software speaks to the era in which it was developed (yet the track 
record of its developers in fixing those problems is quite admirable). 
Nevertheless I can't help but imagine what new software and new 
innovations are being developed on our campuses that we are stifling 
because of well-intentioned security policies.

Joe may have disclaimed that his opinions are his own, but I hear them 
echoed over and over again, not just by Deke, but by our own 
researchers.  I'd rather work with them than against them.

michael