RE: Why do so few mail providers support Port 587?
I just get sick of providers blocking traffic...their job is to PASS TRAFFIC. There must be a better solution, but laziness is getting the better of us all, as usual. We've had so many problems with "IP Providers" blocking various "IP PROTOCOLS" that we've just ended up forcing all of our users to use VPN tunnels for everything...except when the providers block that!!! Then we're just screwed. Anyways, just my two cents... Please don't flame me, I'm just a lowly network guy....:) - Erik -----Original Message----- From: Sean Donelan [mailto:sean@donelan.com] Sent: Tuesday, February 15, 2005 8:00 PM To: nanog@merit.edu Subject: Why do so few mail providers support Port 587? Although RFC2476 was published in December 1998, its amazing how few mail providers support the Message Submission protocol for e-mail on Port 587. Even odder, some mail providers use other ports such as 26 or 2525, but not the RFC recommended Port 587 for remote authenticated mail access for users. Large mail providers like AOL, GMAIL and Yahoo support authenticated mail on port 587; and some also support Port 465 for legacy SMTP/SSL. But a lot of universities and smaller mail providers don't. They still use SMTP Port 25 for roaming users. With AT&T, Earthlink, COX, Netzero and other ISPs filtering port 25 for years, I would have thought most mail providers would have started supporting Port 587 by now. What can be done to encourage universities and other mail providers with large roaming user populations to support RFC2476/Port 587? What can be done to encourage the mail client software programers (i.e. Outlook, Eudora, etc) to make Port 587 the default (or at least the first try) and let the user change it back to port 25 (or automatically fallback) if they are still using a legacy mail server. Sendmail now includes Port 587, although some people disagree how its done. But Exchange and other mail servers are still difficult for system administrators to configure Port 587 (if it doesn't say click here for Port 587 during the Windows installer, its too complicated).
On Tue, Feb 15, 2005, Erik Amundson wrote:
I just get sick of providers blocking traffic...their job is to PASS TRAFFIC. There must be a better solution, but laziness is getting the better of us all, as usual.
We've had so many problems with "IP Providers" blocking various "IP PROTOCOLS" that we've just ended up forcing all of our users to use VPN tunnels for everything...except when the providers block that!!! Then we're just screwed.
Anyways, just my two cents...
Please don't flame me, I'm just a lowly network guy....:)
I used to agree with this. This was, of course, until I started being the poor sap at the end of the huge spam floods or massive DDoS attacks. My upstream provider blocks the following ports, just as an example: deny tcp any gt 1023 any eq 445 deny tcp any gt 1023 any eq 135 deny tcp any gt 1023 any eq 1025 deny tcp any gt 1023 any eq 2745 deny tcp any gt 1023 any eq 6129 deny tcp any gt 1023 any eq 9898 syn deny tcp any gt 1023 any eq 5554 syn deny tcp any gt 1023 any eq 1023 syn deny tcp any gt 1023 any eq 139 deny tcp any gt 1023 any eq 1433 deny tcp any gt 1023 any eq 3127 deny tcp any gt 1023 any eq 5000 deny udp any gt 1023 any eq 1026 deny udp any gt 1023 any eq 1027 deny udp any gt 1023 any eq 1028 deny udp any gt 1023 any eq 1029 deny udp any gt 1023 any eq netbios-ns deny udp any eq 4000 any gt 1023 deny udp any gt 1023 any eq 1434 permit ip any any .. and they've reported to me (and I wonder if they're on the nanog list :) that they're seeing more traffic hit this ACL than 'normal' traffic passing. This may not hold true for /all/ network traffic and I'm sure a lot of you will be seeing different traffic patterns but it still shocked me. I've had a few people request services which this ACL does filter and my reply is now always "use a VPN" or "use a tunnel" or "buy ${SMALL_VPN_APPLIANCE}". I don't like filtering. I liked the day when my ISPs mailserver would break - so I'd just use another ISP for outbound mail until it was fixed. Sob. Adrian -- Adrian Chadd "You don't have a TV? Then what's <adrian@creative.net.au> all your furniture pointing at?"
<dons ISP hat> We get sick of blocking ports. We're little guys. About 10,000 users. Yesterday, we blocked 11025 connections either inbound to addresses that aren't mail servers, or outbound from addresses that aren't supposed to be mail servers. This is a case of those that know a little too much praying on those that don't know quite enough with those that don't have enough of anything trying to stop it from happening. I can't flame you. I fully agree with you. But until I can find a way to stop the Big Bad Wolf from huffing and puffing, the house will be made of bricks, and the door will be locked. Bob Martin Erik wrote:
I just get sick of providers blocking traffic...their job is to PASS TRAFFIC. There must be a better solution, but laziness is getting the better of us all, as usual.
We've had so many problems with "IP Providers" blocking various "IP PROTOCOLS" that we've just ended up forcing all of our users to use VPN tunnels for everything...except when the providers block that!!! Then we're just screwed.
Anyways, just my two cents...
Please don't flame me, I'm just a lowly network guy....:)
- Erik
-----Original Message----- From: Sean Donelan [mailto:sean@donelan.com] Sent: Tuesday, February 15, 2005 8:00 PM To: nanog@merit.edu Subject: Why do so few mail providers support Port 587?
Although RFC2476 was published in December 1998, its amazing how few mail providers support the Message Submission protocol for e-mail on Port 587. Even odder, some mail providers use other ports such as 26 or 2525, but not the RFC recommended Port 587 for remote authenticated mail access for users.
Large mail providers like AOL, GMAIL and Yahoo support authenticated mail on port 587; and some also support Port 465 for legacy SMTP/SSL. But a lot of universities and smaller mail providers don't. They still use SMTP Port 25 for roaming users. With AT&T, Earthlink, COX, Netzero and other ISPs filtering port 25 for years, I would have thought most mail providers would have started supporting Port 587 by now.
What can be done to encourage universities and other mail providers with large roaming user populations to support RFC2476/Port 587? What can be done to encourage the mail client software programers (i.e. Outlook, Eudora, etc) to make Port 587 the default (or at least the first try) and let the user change it back to port 25 (or automatically fallback) if they are still using a legacy mail server.
Sendmail now includes Port 587, although some people disagree how its done. But Exchange and other mail servers are still difficult for system administrators to configure Port 587 (if it doesn't say click here for Port 587 during the Windows installer, its too complicated).
participants (3)
-
Adrian Chadd -
Bob Martin -
Erik Amundson