On Wed, 25 May 2005 08:51:18 -0500 (CDT), Ian Mitchell wrote > Personally, I'm highly opposed to blocking outbound port 25. There > are some of us who don't have the resources to run a domain on a business > class line.
Where are you located at? We charge $5.00/mo for a single static ip which would most likely work in your situation (We are in Sprint/Bellsouth ILEC areas), Doesn't matter if you are DSL or Dial-up for that price (but a MTA on the other side of a dialup.. yuck!). With dedicated circuits we usually include a single or small block depending on the circuit (as most ILECS will as well) after you justify the space allocation (we use ARINs forms since thats what we need to fill out as well). > So by cutting our port 25, we are now forced to limit which domains > we can send email too. I have to add special rules to those specific > domains that choose to deny my emails to forward through my ISP's > MTA. The point of running an MTA is so you don't have to do that. Running an MTA on the other side of dynamic IP space is usually a bad idea unless you forward all of it through your providers MTA from your own (easy to do in sendmail). Otherwise you will end up being blocked by a LARGE number of providers using DNSBLs for dynamic IP space. > > > * block outbound port 25 except for designated MTAs. Define a SPF record > > for > > said MTAs. Implement SMTP Auth. > > Only if the email presents itself as being from that domain, if someone's > running a domain on an IP of that ISP, then that domain should have > an SPF record that SHOULD allow the emails to go through. I > advertise a hard SPF record for my domain, I allow email to only > come from my IP. Unfortunately due to the rules that I have to set > up for certian ISP's that limit port 25, I have to allow my ISP to > act as a relay in the SPF record as well. Not my most ideal > solution. But it's that kind of backwardness you get when people > start breaking things ;) Wow, first off, are you rewriting your SPF records every time your IP updates via the dynamic IP space via mydyndns.org? Your SPF record allows your current dynamic IP as well as charter.com's SPF record if any (your cable provider). Honestly, I would bet you are in violation of RFC2821 with regards to reverse DNS requirements for a SMTP server, you are against the thought that your ISP (charter) might (and most likely will) start blocking port 25 outbound and that you might have to require your private MTA (rogue MTA) to relay all of its outbound mail through charters mail servers, which is actually how it should have been setup in the first place (and again, is pretty easy to do, just involves a few mc file edits to hide your mta as the opriginator), and claim all of this due to either your security expertise or to not being able to afford a static IP assignment? Look at the bigger picture. Also, I do hope you have a business account with charter as they specifically forbid "servers" in their terms of service agreement for residential accounts. Also, I know Cox Communications and Time Warner here both provide a single static for no extra cost if you ask for a business account and pretty much all of the DSL providers including my ISP do for business level DSL accounts and can for residential for a small fee ($5.00/mo from us for a single static). Sorry, I just can't help but shudder at the thought of running a businesses MTA and MX of record over a dynamic IP using dyndns or any similar service, esp since the risks are so high and the cost to do it right is probably about the same you are paying to dyndns for their service. Jim -- EsisNet.com Webmail Client _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
