I agree with no ports being inherently "safer" than others... I myself was wary at first that this RFC was trying to implement a "security through obscurity" process. After trying to understand the practical use of running 2 SMTP servers with different functions and on different ports I came to realize that there was a real need for this measure. I know this is sort of "off-topic" for this forum, but for those that stumble onto this thread it may make sense to understand why I think that the possibility of running 2 SMTP servers was after all not a bad idea, and should definitely be available in JBoss Mail (and btw I am glad to see that it will be).
Because spammers abuse open relays, which most often are found on port 25 SMTP servers, some ISPs block out-of-network calls to this port if they don't originate from their mail servers. Now, a well configured TLS/SSL SMTP server is not an open relay, nor an easy target for abuse... regardless of what port it's on, but an ISP has no way of knowing whether this is the case or not. Blocking port 25 across the board is their only way to make sure a spammer can't use their network to abuse an open relay. If SMTP servers found on port 587 are implemented with TLS/SSL as a standard measure (which seems to be the common practice), they will very rarely be the target of abuse (i.e. only if the security is weak, like bad passwords). Therefore servers running on these ports won't be subjected to the same blocking policies as port 25 because ISPs won't see the spammer abuse on those ports very often at all. The ability to use port 587 is really most beneficial to roaming users and users permanently outside the network, since inside your own network your users should send mail through your server anyway. Normally if you couldn't connect to port 25 for your mail server from a remote network, you'd have the option to use that network's mail server and still send email with your regular domain's email address... however, SPF and DomainKeys are changing the rules for that in an effort to curb some forms of spam and now using your domain's mail server has become the preferred method for on and out-of network users. Of course, if everyone implements TLS/SSL for relaying on every SMTP server out there, the problem would be solved and using port 587 would be unnecessary. The reality is that SMTP servers on port 25 are an unknown entity right now so standardizing the use of an alternate port helps migrate everyone in a way that can be easily tested by ISP's firewall rules. Ideal?... no, but it serves the right purpose. Pablo. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3870498#3870498 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3870498 ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ JBoss-Development mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/jboss-development
