On Tue, Oct 25, 2011 at 5:49 AM, Owen DeLong <owen@delong.com> wrote:
On Oct 24, 2011, at 11:13 PM, William Herrin wrote:
Blocking outbound TCP SYN packets on port 25 from non-servers is considered a BEST PRACTICE to avoid being the source of snowshoe and botnet spam. Blocking it from legitimate mail servers... does not make sense.
The SMTP submission port (TCP 587) is authenticated and should generally not be blocked.
Interesting... Most people I know run the same policy on 25 and 587 these days...
Owen, Perhaps you misunderstand the issue. The issue is not relaying mail through someone else's mail server, it's delivering mail to a mailbox served by that mail server. 99.99 etc. percent of the time when that's done directly from a IP address that's supposed to be user PC it's some form of spam. Hence the best practice within the email community is to ask the networking community to block those packets outright. And its why residential ISPs who fail to tend to find their way into Spamcop, Spamhaus and others. Facilitating that sort of network filtering is precisely why authenticated SMTP relaying was assigned port 587 instead of leaving it on port 25. On Tue, Oct 25, 2011 at 11:28 AM, Carlos Martinez-Cagnazzo <carlosm3011@gmail.com> wrote:
I'm curious how a traveller is supposed to get SMTP relay service when, well, travelling. I am not really sure if I want a VPN for sending a simple email.
That's what the SMTP submission port (TCP 587) is intended for and it's why outbound 587 should not be blocked. In fact, blocking 587 can cause problems with folks who use the Sender Policy Framework to restrict the servers allowed to pass mail from a particular domain outward. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.comĀ bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004