On Wed, 29 Oct 1997, Jay R. Ashworth wrote:
We are an ISP and we don't block our dialups from going to port 25 elsewhere because this would eliminate their ability to rightfully use another mail server. This frequently occurs when a user accesses a mail server at work from their home dialup account. If other ISPs did this, we would have a problem where a user dialing into their ISP couldn't reach their virtual mail server, hosted on our network. We currently don't have many going the other way, but that may change.
This is roughly akin, though, isn't it, John, to the cache pollution problems that make it pretty much a requirement to run 2 separate nameservers: one for recursion and caching, and the other to be authoritative?
Run a separate relay server, with some authentication, for users connecting from outside your AS.
The point is there can be no useful authentication for outgoing email if you don't block it by IP address. However, that is a discussion about blocking spam relay, not about blocking outgoing SMTP. If we install a filter at the router that blocks all traffic from dialup connections to port 25 anywhere else, then it doesn't matter how many servers we run they can't get to another SMTP server, even if they are supposed to be doing it.
The only reason I can think of that would stop this would be if a user subscribes to earthlink, but uses a UUnet dialin, that customer's software would be set up to use the Earthlink SMTP servers.
In our case, this doesn't help since we and all the other local ISPs block relay access, so you have to use the mail server of the ISP you are currently connected to.
Hold it. Didn't you just say the opposite above?
He offered an example of a customer that has dialup access to two ISPs, and wants to connect to the SMTP server of the one he isn't currently connected to. Because of the relay blocking that we and all the other ISPs in town implement (and hopefully ISPs elsewhere), the customer can't do that anyway. What I said above is that there are other examples that our customers expect to work, specifically connecting to an SMTP server at work or connecting to a virtual domain hosted at another ISP (in our case it is primarily the vdom user dialup into another ISP and accessing the site here), that is why we can't block all traffic from dialup to port 25 anywhere. I think you are confusing the issue of blocking unauthorized relay access to your SMTP server, which is easy to do based on CIDR blocks, with that of preventing dialup customers from relaying through the SMTP servers of others. The difficulty in the latter is finding a way to determine what SMTP servers they are supposed to have access to and then implementing that in a router access list. John Tamplin Traveller Information Services jat@Traveller.COM 2104 West Ferry Way 205/883-4233x7007 Huntsville, AL 35801