Consider also smtps port which should be treated like smtp port and not like submission port, or simply do not listen on smtps as TLS is available on smtp port via esmtp. A lot of providers are now blocking smtp traffic from dynamic/residential IPs, and all clients support to enter submission port instead of smtp port. The advantage of this config, when you have a roaming user, they don't need to configure their email client depending on the network they are connecting to. If you want to see the extend of the problem on your network just go to http://www.uceprotect.net/en/rblcheck.php and enter your AS/network and see how many of your clients are spamming due to mainly botnets. ----- Original Message ----- From: "Dave CROCKER" <dhc2@dcrocker.net> To: nanog@nanog.org Sent: Thursday, 22 April, 2010 10:17:28 AM Subject: Re: Mail Submission Protocol On 4/21/2010 6:49 AM, Claudio Lapidus wrote:
So we are considering ways to further filter this traffic. We are evaluating implementation of MSA through port 587.
RFC 5068, Email Submission Operations: Access and Accountability Requirements, is a BCP. It specifies authenticated port 587 for email submission across the net. As others have noted, it works well through a wide variety of access environments. I don't remember the last time I found it blocked. I use it over TLS, of course. Blocking of outbound port 25 for all hosts not explicitly authorized has become common. The fact that 587 default to authenticated is the win. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net