Re: SMTP Outbound

[Derek Diget <derek.diget+educause-security () WMICH EDU>]

On Feb 13, 2014 at 08:46 -0500, Di Fabio, Andrea wrote:
=>We only allow 25 in/out to/from our email servers but we do allow 587 out as
=>we found that many email clients, especially on mobile devices, will use
=>this port. So the new question is, are you allowing TCP 587 out of your
=>network without restriction and have you seen any issue with doing that? We
=>have not seen any issues thus far.

As a good network access provider you MUST NOT block out-bound TCP port 
587.  See section 4.1 of IETF Best Common Practice (BCP) 134 ... AKA 
RFC 5068 - Email Submission Operations and Accountability Requirements 
<http://www.ietf.org/rfc/rfc5068.txt>.


We block and log out-bound port 25 except for approved (<5) mail systems 
and have for over 15 years.

We also require AUTH (over SSL/465 or STARTTLS/587/25) for submission 
from anywhere.  No free pass because you are on our network.  Been that 
way for close to 15 years.  Note to do this you must have separate mail 
relays/MX hosts and submission/MSA hosts.  Our MX hosts won't accept any 
email from within our own net blocks.

Our third leg is a relay system that uses IP white-listing for 
application servers that can't AUTH over an encrypted channel.  
(Multi-Function Devices, vendor applications that haven't gotten into 
the 21st century, etc.)



If more responses regarding port 25 are wanted, take a look at posting 
to the HIED-EMAILADMIN (Email Administration in Higher Education) list 
hosted at Notre Dame.  
<https://listserv.nd.edu/cgi-bin/wa?A0=hied-emailadmin>


-- 
***********************************************************************
Derek Diget                            Office of Information Technology
Western Michigan University - Kalamazoo  Michigan  USA - www.wmich.edu/
***********************************************************************