nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Why do so few mail providers support Port 587?

From: Nils Ketelsen <nils.ketelsen () kuehne-nagel com>
Date: Mon, 28 Feb 2005 16:54:23 -0500

On Sat, Feb 26, 2005 at 03:10:42PM +0100, JP Velders wrote:



From a "security" stance (well - partly ;D) I always like to emphasize

that in "The Real World" port 25 is for traffic between MTA's *and*
submission of mails to the local MTA. So to reduce the chance of one
of my users abusing an Open Relay and to enforce corporate e-mail
policies, only port 25 towards our mailserver is open.


I do not know about your E-Mail Policy, but normally it is either allowed
to use an external mailserver or not. If it is allowed, I can as
well allow Port 25 outgoing. If it is not I will block 25 and 587.




Port 587 on the other hand is meant for "submission" by clients. The
security implications of allowing my users to contact such a port are
very very low. If someone won't secure his mailserver on port 587,
that's something different, but substantially different than if it
were insecure on port 25...


An interesting theory. What is the substantial difference? For
me the security implications of "allowing the user to bypass our
mailsystem on port 25" and ""allowing the user to bypass our mailsystem on
port 587" are not as obvious as they maybe are to you.


Nils
Previous By Date Next
Previous By Thread Next

Current thread: