On Oct 24, 2011, at 11:13 PM, William Herrin wrote:
On Tue, Oct 25, 2011 at 12:29 AM, Dennis Burgess <dmburgess@linktechs.net> wrote:
I am curious about what network operators are doing with outbound SMTP traffic. In the past few weeks we have ran into over 10 providers, mostly local providers, which block outbound SMTP and require the users to go THOUGH their mail servers even though those servers are not responsible for the domains in question! I know other mail servers are blocking non-reversible mail, however, is this common? And more importantly, is this an acceptable practice?
Hi Dennis,
Blocking outbound TCP SYN packets on port 25 from non-servers is considered a BEST PRACTICE to avoid being the source of snowshoe and botnet spam. Blocking it from legitimate mail servers... does not make sense.
The SMTP submission port (TCP 587) is authenticated and should generally not be blocked.
Interesting... Most people I know run the same policy on 25 and 587 these days... to-local-domain, no auth needed. relay, auth needed. auth required == TLS required. Anything else on either port seems not best practice to me. Due to the absurd things I've seen done in the world, I actually run that policy on 5 ports: 25, 587 as you would expect. 465 SSL rather than STARTTLS, but, otherwise identical 80 because it works when nothing else does. 443 because sometimes Deep Packet Inspection is a PITA. Of course, using 80 and 443 requires the use of additional IP address resources for those servers rather than being able to also run a web server on the same address, but, this is the consequence of replacing an internet with 64K ports with filters that force the entire internet to operate all services on TCP/80. With this combination, I have not encountered a hotel, airport lounge, or other poorly run environment from which I cannot send mail through my home server from my laptop/ipad/iphone/etc. Owen