On Thu, 3 Feb 2005, Jason Frisvold wrote:
prevents zombies from spamming. Unfortunately, it also blocks legitimate users from being able to use SMTP AUTH on a remote server..
There's a *reason* why RFC2476 specifies port 587....
I assume you're referring to the ability to block port 25 if 587 is used for submission. This is great in theory, but if this were the case, then the Trojan authors would merely alter their Trojan to use port 587.
If they authenticate. Modulo a stupidity built-in to Sendmail (that Claus Assman ignorantly thinks is a non-issue[*]), port 587 is not supposed to be used for endpoint MTA delivery. It's a mail SUBMISSION port, which is supposed to mean that J. Random Client isn't supposed to use it for delivery purposes. === [*] As of now, Sendmail doesn't require one of SMTP AUTH auth by default on the MSA port; it treats 25 and 587 identically (so that things like IP-based relay auth work without need for SMTP AUTH). I sent a m4-only change to the Sendmail maintainers implementing a way to make 587 allow only relay-authorized clients to send anything at all by default -- whther IP-based relay auth, or SMTP AUTH, or any other method built in to the relay-check code path. It was shot down by Claus because he simply doesn't understand the issue and doesn't think identical 25 and 587 ports is a threat. -- -- Todd Vierling <tv@duh.org> <tv@pobox.com>