Le 15/07/2011 22:15, l...@airstreamcomm.net a écrit : > We are an ISP of about 60,000 customers, and in the past our systems were > setup to allow networks from mynetworks (a large number of IPs) as well as > a lookup table that allows users who have previously popped the server to > relay mail. We recently added SMTP Auth capability, and are seriously > considering moving solely to SMTP Auth for access to our outbound mail > system. Our reasoning is that compromised computers on our allowed > networks are free to send all the spam they want and we really don't have a > good way to track what users are sending the spam. We do have outbound > email filtering, so the spam doesn't leave the network. Another reason for > wanting to drop mynetworks and pop before smtp is simplification of our > systems. Keeping up with the IPs in mynetworks is a hassle, and the pop > before smtp seems redundant when you think these customers could be > authenticating with SMTP Auth. The best feature of SMTP Auth in our > opinion is that it leaves an audit trail of who is sending email, in what > quantity, and where they are connecting from, which allows us to track > spammers more effectively. > > To summarize, we think SMTP Auth is the simplest and most useful way to > allow people to send mail through our outbound mail system, and we are > hoping to get some feedback from the community regarding this perspective. >
The big issue here isn't technical. it's about the cost of support when your customers call you because their old setup doesn't work anymore. I'd recommend taking a smooth path: - document your "future" setup, so that people can share it. after some time, "everybody" will know about it. this should reduce your support costs. - make it easy for people to use the "future" setup. write clear documentation, help pages, ... etc (actually, this is one thing that we should all work on, because it is "common"). - enforce the new setup for new customers - for other customers, send an email asking em to visit a link that explains the "new" setup. give'em an incentive to accept the new behaviour. back to tech stuff: it would be good to move to port 587 (submission) with TLS and SASL. to be nice with people using oldware, smtps should be supported as well.
