------------------------------
Date: Tue, 11 Mar 2008 07:58:01 +0800 From: Ang Kah Yik <mailinglist@bangky.net> Subject: Customer-facing ACLs
Hi Justin (and all others on-list)
I understand your grounds for blocking outbound SMTP for your customers (especially those on dynamic IP connections). It probably will do good to block infected customers that are spewing spam all over the world.
However, considering the number of mobile workers out there who send email via their laptops to corporate SMTP servers, won't blocking outbound SMTP affect them?
Since these corporate types (I'm guessing here) are probably unaware of how to change their email client's SMTP configurations, chances are that blocking outbound SMTP will probably cause quite a lot of pain.
After all, there are also those who frequently move from place to place so they're going to have to keep changing SMTP servers every time they go to a new place that's on a different ISP.
Cheers - -- ANG Kah Yik (bangky)
------------------------------
One would hope mobile commuters are using something more secure than just raw SMTP to send e-mail if their network admins have any sense. The usual combination requires a POP connection first or uses a port other than 25 to send. As a customer my home DSL service provider (SBC) blocks port 25 by default. Many firewalls can be programmed to allow 'related' connections. Ie. if a POP connection is opened then allow the SMTP connection. The real solution is to move to imap or msa (port 587) or the latest MS exchange protocol (whatever it is). As for blocking FTP and SSH, it would depend A LOT on your customer base. As a content provider we do not allow raw NetBios into our network. Anyone that wants to use remote file sharing to work on their windows server is encouraged (Whips and Chains if necessary) to use a VPN tunnel. If you are going to block something, block port 135 both directions. -- LR Mack McBride Network Administrator Alpha Red, Inc.