On Fri, 25 Feb 2005 andrew2@one.net wrote:
Sorry, I misread that. But I still fail to see how 587 changes that. Trojans, viruses, etc. etc. etc. can still exploit the authentication system regardless of what port it operates on. Different port, same old problems.
Sigh, if even the network professionals have difficulty understanding how things work, what hope is there for the rest of the users. Requiring end-user systems to use only authentication port 587 to send outbound mail means even if they are infected with trojans, viruses, etc, they will only be able to send mail via the (few) mail servers on which they have an authenticated account. Hopefully, then the local mail administrator could run server-based anti-virus/anti-spam checks on the outgoing e-mail from authenticated local users (including those users which may have had their anti-virus/anti-spam software compromised on the PC) before forwarding it to other mail servers on the Internet. When end-users systems have direct access to port 25 on all Internet mail servers, an end-user system infected with a trojan, viruses, etc will send mail to other mail servers on the Internet directly without needing to authenticate itself because mail servers still need to accept unauthenticated mail from anywhere for local delivery on Port 25. Waiting for complaints, installing network sniffers (assuming you can find a sniffer big enough) or conducting intrusive scans of the user's computers tends to be re-active rather than pro-active; and can result in a trojan or virus sending large quantities of mail directly from the infected computer. Of course, it would be great news and a good goal if end-user computers were never compromised and their anti-virus definitions were always up to date, and so on. But that is a bit unrealistic for unmanaged end-user systems. Requiring end-user computers to use authenticated Port 587 and blocking end-user computers access to port 25 has several advantages: 1. Reduces the number of mail servers to which an infected end-user computer has direct access without authentication. They still have indirect access if their authenticated mail server forwards it without further checks. 2. Lets the authenticated mail server conduct additional anti-virus checks on outgoing mail even if the end-user's computer was compromised or out-of-date virus definitions. 3. Separates authenticate mail submission (port 587) from other mail protocols (25, 110, 143, etc) simplfying network controls (no deep-packet inspection) for end-user computers. Eliminates some of the existing problems with trying to do transparent proxying of port 25 from end-user computers. 4. Allows the source network to make exceptions for individual addresses instead of trying to modify DUL RBL's used by destination mail servers if an end-user runs their own mail server. 5. Lets a roaming end-user computer use the same mail configuration when it is on its "home" network or on a "remote" network to access its primary authenticated mail server instead of needing to change to a different local network mail server. If all your users always use a VPN, this may be less important. But if none of those change you mind, nothing can force you to offer Port 587 authenticated mail submmission, VPN or web mail access for your users. If you choose not too, that is between you and your users. There is a good chance your users will experience problems when traveling or roaming unless you offer some of those alternatives.