Re: Does anyone know how Verizon's outbound, external mail (port 587) is going to work?

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Thu, 24 Sep 2009 08:17:15 EDT, Peter Charbonneau said:
>    I am wondering exactly how this is going to work.  Do we punch
> holes in our firewalls to allow tcp port 587 inbound to our mail
> networks,

Yes, you should have been expecting needing to allow your users to use
port 587 to submit to your mailservers for *years* now. The RFCs:

2476 Message Submission. R. Gellens, J. Klensin. December 1998.
     (Format: TXT=30050 bytes) (Obsoleted by RFC4409) (Status: PROPOSED
     STANDARD)

4409 Message Submission for Mail. R. Gellens, J. Klensin. April 2006.
     (Format: TXT=34911 bytes) (Obsoletes RFC2476) (Status: DRAFT
     STANDARD)

It's been coming for a decade now...

The general framework is this:

1) If an end user has an e-mail address 'fred () foo bar', their PC/whatever
composes the e-mail, and submits it over an authenticated connection to
foo.bar's mail server on port 587.

2) foo.bar's mail server then contacts other mailservers as needed and
forwards the mail on port 25.

This provides several benefits:

1) ISPs can block outbound port 25 to reduce spam from zombied user machines.
(Yes, fred () foo bar can still be zombied, and can still steal fred's credentials
and send it through foo.bar's mail servers - but it's presumed that the guys
running those mail servers will notice when fred sends 100,000 pieces of
e-mail and do something reasonable about it...)

1a) This also makes it easier to run block-lists of end-user address
ranges and reputation services for mail servers (since there's a lot
fewer mail servers than user PCs)....

2) The mailserver catching the mail on port 587 then *knows* that it's
an initial submission of mail, and can do a bunch of cleanups (fix any
missing or not-fully-qualified hostnames,  Date: headers, etc) that it
couldn't do if the mail might be from another mailserver.

Attachment: _bin
Description: