On Thu, Aug 28, 2003 at 10:18:45AM -0400, Matthew Crocker wrote:
Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail? We block outbound port
For some, sure. Maybe even most. That doesn't mean all. Are you a fairly small, perhaps boutique, provider? Such players have very different rules than ones with more than one kind of customer.
25 connections on our dialup and DSL pool. We ask our customers that have their own mail servers to configure them to forward through our mail servers. We get SPAM/abuse notifications that way and can kick
Asking is one thing, forcing is another. Giving the option but leaving the choice entirely up to the customer's discretion is yet another. Giving a default, but allowing customers to request exceptions, with reasonably automated tests to verify they can handle it... well, you get the idea. You get SPAM/abuse notifications without diverting all mail through you. You need to investigate either way (unless you trust unknown third parties more than your own customers), which still doesn't require all mail to pass through your server.
the customer off the network. We also block inbound port 25 connections unless they are coming from our mail server and require the customer setup their MX record to forward through our mail server. We virus scan all mail coming and going that way. We protect our customers from the network and our network from our customers. We are currently blocking over 3k Sobigs/hour on our mail servers. I would rather have that then all my bandwidth eaten up by Sobig on all of my dialup/DSL connections.
Do you also limit your customers' use of web traffic? Bandwidth, at the end of the day, is still bandwidth. Having it all eaten up is a problem, but not enough justification to take away all choice. Your own border shouldn't be that much greater than the aggregate total of your customers, should it? That'd be bandwidth you pay a lot for and can't use. Usual model would suggest your downstream customers represent some value more bandwidth from you than your incoming server could get, or perhaps 1:1. What if I have my own virus scanner? What if your mail server is too slow because all those scans chew up a lot more resources than my own traffic on my server will? What size attachments do you allow? What spam filters do you run; do they account for sender IP in the same probability weighting that mine does? Even per-user configuration of filters like Postini represents a reduction in choice that may not fly with all customers, particularly small and home busineses. Finding solutions that account for the broadest number of cases is useful. If you provide a server architecture doc the way I can expect to see line topo docs, then maybe I'll trust you to get it right, or maybe not. Expecting to tell customers, "I know how to run an email server better than you," doesn't fly in this age of bonehead ISPs, at least not for a lot of us/them. Perhaps you do the former; if so, please let me know if you provide service in the San Francisc/Sillycon Valley area, as our choices in home/small pipe have declined quite a bit these years. =)
SMTP & DNS should be run through the servers provided by the ISP for the exact purpose. There is no valid reason for a dialup customer to go direct to root-servers.net and there is no reason why a dialup user should be sending mail directly to AOL, or any mail server for that matter (besides their host ISP)
Let's back up. It's entirely possible, even probable, that any ISP I go to will provide good Internet (pipe) and bad Service (protocols), or vice-versa. If they're good pipe, I can setup my own server, and have everything I need. Providing reliable and high-rate connectivity does not mean I trust you, or anyone else, to run an extra man in the middle. You, of course, are not required to trust your customers, and your policy will self-select out the ones who disagree, but suggesting it's applicable in enough cases to be a general standard misses the point. I can think of a number of businesses (including some who are fairly well known in email software, services, etc) who came up with the use of DSL as a server home. They may not rely on it for their primary bandwidth (which would probably be foolish), but particularly for things like DNS and SMTP, both of which provide for multiple addresses and locations, could sanely choose to maintain secondary servers over a completely isolated alternate pipe. Remember, BGP fails, ISPs fail, T1 cards fail, routers fail, etc. Having that last "home" DSL connection may just save some companies from going totally unreachable at times. That's worth $79.99/month in many books. -- Ray Wong rayw@rayw.net