John wrote quoting Lucky:
> > Locate the button in your MUA that's labeled "Use secure 
> connection" 
> > or something to that effect, search the docs for your MTA for the 
> > words "STARTTLS", "relaying", and potentially "SASL", don't 
> use your 
> > ISP's smtp server, encourage those that you are 
> communicating with to 
> > do the same, and the email data retention laws will be of 
> no bother to 
> > you.
> However, your ISP will cut you off for "spamming", by which 
> they mean sending emails toward their destination without 
> going via the ISP's wiretap point, I mean mail relay machine.
> All you anti-spam bastards wanted ways to control what people 
> are allowed to send you, regardless of the cost in broken 
> protocols, savaged freedoms, and user inconvenience.  OK, now 
> you have a bunch of controls, stop whining when they are used 
> to control YOU!  (Of course, the spam hasn't stopped coming 
> in anyway, so you get the worst of both
> worlds.)

I share John's dislike for the (thoroughly ineffective, except in making
the lives of legitimate users more difficult) anti-spam zealots and
anybody else upstream from me that deems it necessary or even acceptable
to do anything other than to forward raw IP packets addressed to my IP
address unmodified. In fact, I cautioned various anti-spam activists
back around 1994/95 where their objectives would lead, but it was to no
avail. An experience that John is undoubtedly familiar with.

Nonetheless, I would not run an open relay today simply due to the fact
that I want the postmaster alias to remain useful for submitting reports
of actual mail sub-system problems on my system. And, yes, because I
would loath to see's very pleasing 100Mbps upstream
connection cut.

Fortunately, what I am suggesting can be accomplished without running an
open relay on port 25, which /will/ cause you pain.

I am limiting relaying on port 25 smtp to authorized users by using
Cyrus-SASL, which integrates cleanly with postfix + TLS as the MTA.
Since Outlook only provides the plaintext variant of SASL
authentication, my MTA is configured to not offer smtp AUTH as an option
until after the TLS connection has been established to prevent
eavesdroppers from capturing the relaying authentication password.

Since more and more misguided ISP's are flat out blocking outgoing
connections to port 25 from inside their network, I have postfix
listening at a higher port number in addition to port 25, just as many
hosts today are running sshd on several ports to help compensate for
similarly misguided corporate firewall policies.

One probably could get away without using SASL just by running the smtpd
on a non-standard port, since AFAIK spammers only try port 25, at least
at the moment, but enabling SASL was so easy with postfix that I saw
little reason not to do so. Besides, it was the more esthetically
pleasing solution.

>       John
>       (off the Internet for months now, getting email via uucp,
>        since Verio cut off my T1 for running an "open relay", i.e.
>        a box that would accept email like what Lucky proposes)

UUCP, eh? Well, having just watched my ISP's primary upstream provider
essentially melt down and the replacement likely to do so soon, I had
myself briefly considered retrieving my old UUCP books from storage just
in case the need should suddenly arise. :-) Hmm, I wonder where one gets
an UUCP link nowadays. Guess I should take a look at the current maps.
(The following offer is specifically for John: let me know if you'd like
a relay and I'll gladly give you an UID/PW for my not-quite-open mail
relay. I have little doubt that any and all traffic in and out of that
particular machine has been logged since it first came online 7 years
ago. I don't care, since any significant traffic is encrypted. YMMV. Oh,
and yes, of course supports IPSec under both IPv4 and
IPv6 in addition to higher-level encryption protocols such as smtp's

--Lucky "strong crypto sure has become amazingly inexpensive and easy to
use" Green

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to