On Wed, Sep 03, 2008 at 12:58:53PM -0400, Nicholas Suan wrote:
On Sep 3, 2008, at 12:49 PM, Jay R. Ashworth wrote:
You're forgetting that 587 *is authenticated, always*.
I'm not sure how that makes much of a difference since the usual spam vector is malware that has (almost) complete control of the machine in the first place.
Well, that depends on MUA design, of course, but it's just been pointed out to me that the RFC says MAY, not MUST.
Oops.
Does anyone bother to run an MSA on 587 and *not* require authentication?
Raises hand.
Why would the requirements for authentication be different depending on the port used to connect to the MTA?
No matter how a session comes into the MTA (port 25, 465, 587, anything else) and no matter whether it is encrypted or not, the requirement for authentication (which is always available and advertized), is based on a simple policy:
- local delivery originating from a non-blacklisted or "internal/customer" address does not require authentication;
- relay from "internal/customer" IP Addresses does not require authentication;
- any connection from a blacklisted IP requires authentication or no mail will be accepted;
- relay from "external/non-customer" IP Addresses requires authentication;
Is there a valid reason why a different configuration is justified?
As an aside, outbound port 25 traffic is also blocked except from the MTA.
I'm glad someone finally posted the above. When I came 'up through the ranks' the policy could be explained simply, by separating POP3 and SMTP. The following is the users-perspective explanation I used to offer: - Mail from World to Client is checked via user/password check (POP3 in your mail client). Because its authenticated, it can be done from anywhere - subject to your ISPs policies on the subject. - Mail from Client to World is not authenticated (generally speaking) but what is checked is where you are. The rules: - Mail from ISP-IP to ISP-SMTP-SERVER is accepted regardless of destination. - Mail from anywhere else to ISP-SMTP-SERVER is accepted only if the destination is 'local' to the ISP. - There's no reason to do anything else as a general rule. Privately managed outbound mail solutions (such as a colo, or a corporate network, which subjects you to some other sort of validation before accepting your message) should be 'accountable' and in order to circumvent Port 25 blocking, should be found on other ports anyway. Port 25 traffic should be subject to the above. (I realise this doesnt account for SMTP-Auth. The reality today is that ISPs are blocking Port 25 to reduce spam from drones and that people should be prepared to work around this.) So in terms of the OP, I don't see why joe-user on a dynamic-IP home connection should need the ability to use port 25 to talk to anywhere but their local ISP SMTP server on a normal basis[1]. Theyre not doing MX lookups so theyre not going direct to remote MTAs[2]. Regardless of where they got the mail _from_, the outbound mail should be via SMTP to their local SMTP server.[3] If you separate inbound (pop3) and outbound (smtp) mail delivery in your thinking you can start to make sense of things (from a users perspective). This is always the tack i've taken when trying to educate users about why their email outbound doesn't work when theyre moving from ISP to ISP. (At which point you offer them your authenticated-another-way service, such as 587 with SMTP auth). [1] Customers with a specific need to do so should have the means to opt-out. I believe most of the ISPs in NZ who block 25-outbound from clients also offer this option. [2] Customers doing MX lookups are either drones or people with mail servers at home. The former are obviously the target of the block. The latter are likely going to be any one of: - Blocked by SORBS or similar as a dynamic IP - Running a mail server in breach of AUP - On a fixed IP and (theoretically) capable of securing their system and not being a drone or open mail relay (and being traceable via their ISP). [3] Note also [2]. Outbound mail is associated with your ISP and their SMTP service. Has nothing to do with inbound mail. Nothing. Nada. Zip. Or doesn't the rest of the world think like this? Mark. PS: It occurs to me that SPF has an influence here, if you're aggressively using it then you should also be offering alternatives to Port 25 SMTP. IMHO.