Firewall Wizards mailing list archives
Re: SMTP forwarding question
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Fri, 1 Oct 2004 04:04:33 +0530
On 30/09/04 22:18 +0200, Nagy Attila wrote:
Marcus J. Ranum wrote:The problem: there is a network from which all outgoing SMTP connections should be handled by the company's mail gateway (virus and spam checking, etc) BUT the roaming users must be able to use their companies' SMTP server, possibly via SMTP AUTH (with or without starttls) and/or POP before SMTP (or any other solutions which work over tcp/25).
First off, that's a stupid policy - fortunately it's not mine so I won't say any more about it than what I already have...
I think the only thing why you think it's stupid is that I've left off an important information: the given company would be an ISP, which has a lot of problems about their users spamming and flooding the world with viruses.
So? We blocked port 25 outbound with no major issues earlier. Blocking port 25 for Windows users is probably the biggest favour that you can do for the Internet.
If the ISP blocks outgoing tcp/25, then all of its users who use other SMTP servers on the internet (for example mail.ispB.com with POP before SMTP or via SMTP AUTH) will not be able to use their server.
Thats what port 587/tcp is for.
I am aware of the fact, that a clear policy should be that every user MUST send mail via mail.ispA.com, but as the Earth's shape is not exactly round, the users say that if they cannot send mail from their notebook from ISP A to ISP B (via authenticated SMTP) and it works from ISP C, then they will choose ISP C, not A. That's the problem. If ISP A blocks outgoing SMTP, the users have to reconfigure their notebooks.
Nope. They just need to be using 587/tcp from the beginning. Block port 25, make it clear why you are doing that, and help the users understand why it is necessary. If you aren't, let us know the IP blocks that the users are assigned, and not the smarthosts. We will be more than glad to block dynamic IPs.
And users doesn't want this, instead they choose another ISP.This could probably be done with the proxy transparency rules of some old-school firewalls, or with redirector rules in a load-balancer.Could you name any product which can store some state about the current SMTP session, decide what are we talking about (authenticated SMTP to a foreign ISP or a simple mail to anyone in the world) and route the traffic either the local mail server or transparently to the original one?
You will end up writing your own. The alternative is to use something like AOLs system of forwarding port 25 to their own systems and hijacking the TCP connection. Devdas Bhagat _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: SMTP forwarding question Devdas Bhagat (Sep 30)
- <Possible follow-ups>
- Re: SMTP forwarding question Jim Seymour (Sep 30)
- Re: SMTP forwarding question Marcus J. Ranum (Oct 01)