Bill, Responses in-line...
-----Original Message----- From: Bill Stewart [mailto:nonobvious@gmail.com] Sent: Friday, October 28, 2011 6:22 PM To: nanog@nanog.org Cc: Brian Johnson Subject: Re: Outgoing SMTP Servers
<snip>
I've got a strong preference for ISPs to run a Block-25-by-default/Enable-when-asked. As a purist, I'd prefer to have Internet connections that are actually Internet connections, and if you want to run email on a Linux box at home or have an Arduino in your refrigerator email the grocery when you're out of milk, you should be able to, and if some meddling kid at an ISP wants to block it, they should get off your lawn. In practice, of course, somewhere between 99.9% and 99.999% of all home MTAs aren't Linux boxes or Macs, they're zombie spambots on home PCs, or occasional driveby wifi spammers or other pests, and not only should outgoing mail be blocked, but the user should be notified and the connection should probably be put into some kind of quarantined access.
This is, of course, exactly why this blocking is done.
But that's for Port 25 - the Port 25 blocking by ISPs has largely pushed Email Service Providers to use other protocols such as 587 for mail submission from an MUA to the MTA, or webmail instead, and it's really bad practice for ISPs to interfere with that. In some cases they'll still be sending spam, but that's the MTA's job to filter out, and if they don't, they'll end up on a bunch of RBLs. (And generally they'll be trying to keep their mail clean themselves - if the MTA providers were spammers, they wouldn't need to go to the trouble of having actual residential users as customers when they could mass-produce it cheaper directly.)
For clarity it's really bad for ISPs to block ports other than 25 for the purposes of mail flow control... correct? I would not block submission ports, specifically 587. More specifically, the only port I will block would be 25. The RFC actually says to use the submission port for the MUA to MTA anyways. RFC 5068 is definitive on this issue. Also read RFC 4409 and its predecessors. My take on this is that it IS best practice to have users use the submission port (587) for mail submission from the MUA to an MTA. Call me a liar! :) - Brian