On Mon, Feb 28, 2005 at 05:13:35PM -0500, Valdis.Kletnieks@vt.edu wrote:
On Mon, 28 Feb 2005 16:54:23 EST, Nils Ketelsen said:
An interesting theory. What is the substantial difference? For me the security implications of "allowing the user to bypass our mailsystem on port 25" and ""allowing the user to bypass our mailsystem on port 587" are not as obvious as they maybe are to you.
The big difference is that if they connect on outbound 25, they're basically unauthenticated at the other end. Port 587 "should be" authenticated, which means that the machine making the connection out is presumably a legitimate user of the destination mail server.
Okay, the main difference seems to be: 1. People here trust, that mailservers on port 587 will have better configurations than mailservers on port 25 have today. I do not share this positive attitude. 2. Port 587 Mailservers only make sense, when other Providers block port 25. My point is: If my ISP blocks any outgoing port, he is no longer an ISP I will buy service from. Therefore I do not need a 587-Mailserver, as I do not use any ISP with Port 25-Blocking for connecting my sites or users.
If you're managing a corporate network, then yes, the distinction isn't that obvious, as you're restricting your own users. If you're running an ISP, you're being paid to *connect* people to other places, and making it more difficult than necessary is.. well... a Randy Bush quote. ;)
I agree. Just as I said: If the ISP blocks (and I do not care which port he blocks), then it's time to go and look for another ISP. If I buy Internet I do not want a provider that decides for me which parts of it I am allowed to use today and which I am not. "Wehret den Anfaengen" is the german saying, I currently cannot find a good translation for. Nils