Educause Security Discussion mailing list archives
Re: SMTP Outbound
From: Derek Diget <derek.diget+educause-security () WMICH EDU>
Date: Fri, 14 Feb 2014 11:37:56 -0500
On Feb 13, 2014 at 08:46 -0500, Di Fabio, Andrea wrote: =>We only allow 25 in/out to/from our email servers but we do allow 587 out as =>we found that many email clients, especially on mobile devices, will use =>this port. So the new question is, are you allowing TCP 587 out of your =>network without restriction and have you seen any issue with doing that? We =>have not seen any issues thus far. As a good network access provider you MUST NOT block out-bound TCP port 587. See section 4.1 of IETF Best Common Practice (BCP) 134 ... AKA RFC 5068 - Email Submission Operations and Accountability Requirements <http://www.ietf.org/rfc/rfc5068.txt>. We block and log out-bound port 25 except for approved (<5) mail systems and have for over 15 years. We also require AUTH (over SSL/465 or STARTTLS/587/25) for submission from anywhere. No free pass because you are on our network. Been that way for close to 15 years. Note to do this you must have separate mail relays/MX hosts and submission/MSA hosts. Our MX hosts won't accept any email from within our own net blocks. Our third leg is a relay system that uses IP white-listing for application servers that can't AUTH over an encrypted channel. (Multi-Function Devices, vendor applications that haven't gotten into the 21st century, etc.) If more responses regarding port 25 are wanted, take a look at posting to the HIED-EMAILADMIN (Email Administration in Higher Education) list hosted at Notre Dame. <https://listserv.nd.edu/cgi-bin/wa?A0=hied-emailadmin> -- *********************************************************************** Derek Diget Office of Information Technology Western Michigan University - Kalamazoo Michigan USA - www.wmich.edu/ ***********************************************************************
Current thread:
- Re: SMTP Outbound, (continued)
- Re: SMTP Outbound Kevin Manuel (Feb 12)
- Re: SMTP Outbound Will Froning (Feb 12)
- Re: SMTP Outbound Ken Connelly (Feb 12)
- Re: SMTP Outbound Dexter Caldwell (Feb 12)
- Re: SMTP Outbound Dexter Caldwell (Feb 12)
- Re: SMTP Outbound Francisco PĂ©rez (Feb 13)
- Re: SMTP Outbound Dexter Caldwell (Feb 12)
- Re: SMTP Outbound Di Fabio, Andrea (Feb 13)
- Re: SMTP Outbound Ken Connelly (Feb 13)
- Re: SMTP Outbound Ejike, Emechete C. (Feb 13)
- Re: SMTP Outbound Robert Henry (Feb 13)
- Re: SMTP Outbound Derek Diget (Feb 14)
- Re: SMTP Outbound Ken Connelly (Feb 13)