Date: Mon, 28 Feb 2005 16:54:23 -0500 From: Nils Ketelsen <nils.ketelsen@kuehne-nagel.com> To: nanog@merit.edu Subject: Re: Why do so few mail providers support Port 587?
[ ... ] I do not know about your E-Mail Policy, but normally it is either allowed to use an external mailserver or not. If it is allowed, I can as well allow Port 25 outgoing. If it is not I will block 25 and 587.
Our corporate policy is that if you want to send mail with a @ourdomain address, you have to use our mailserver. On that machine we can rewrite usernames etc. But I have lots of users who also work at other places - to give you a hint, many of my users are researchers over here, but teachers at different places. So it's *not* in my employers best interest to disallow them *any* means of mailing with a @non-ourdomain address if that @non-ourdomain site allows them to do so via some other means then port 25...
Port 587 on the other hand is meant for "submission" by clients. The security implications of allowing my users to contact such a port are very very low. If someone won't secure his mailserver on port 587, that's something different, but substantially different than if it were insecure on port 25...
An interesting theory. What is the substantial difference? For me the security implications of "allowing the user to bypass our mailsystem on port 25" and ""allowing the user to bypass our mailsystem on port 587" are not as obvious as they maybe are to you.
Anything listening on port 587 - as has been said many times over in this discussion - should not blindly relay. It should demand authentication from the user and only when those are satisfactory relay. That was and is what port 587 is meant for. Port 25 has a much too diverse role in the way mail delivery is handled. But you can generally classify that it's used for inter-site communications and intra-site submission. Port 587 is for submissium, intra-site and extra-site. Just because you only allow port 80 inbound to the machines which are supposed to be running webservers doesn't mean you only allow outbound port 80 traffic to those same machines ? You would allow outbound port 80 traffic to the whole world...
Nils
Regards, JP Velders