>> Just plain disallow direct to port 25 connections. There's no reason >> for it for random client machines. If they need to use their own ISP >> or office mail server, they can use the SMTP submission port, or a >> VPN.
Ditto; most SMTP service providers recognize that 25 outbound is disallowed in many places and have both provided alternate ports and the instructions on how to use them. > The problem with this is that most people have no clue how to use a > submission port or a VPN. So at a cafe blocking port25 will basically be > tantamount to telling about 90% of your users to go away and not come to > your cafe. They will go to another cafe where they can send mail without > trouble. I strongly disagree - I run a pair of pfSense boxes at the head of a very large public wifi network, outright rejecting all tcp/25 traffic and have had precisely one complaint: from an internal employee who was trying to get their personal laptop on and use it for their home mail. A short chat later, they learned to use their ISP's authenticated server and stopped complaining. > You could try traffic shaping port 25. You could give it 20 seconds of high > bandwidth followed by shaping down to something really slow. An alternative would be to set an allow rule with a rate-limit on the port (allow 1/sec), immediately followed by a deny rule. This wouldn't stop some spam, but it would very seriously hinder it. Although setting up a spam filter would be nice, that's likely more overhead and headache than you will want to engage. Especially since you'd be scanning random end-users' email and dictating whether it is sufficiently righteous to pass. Not ground I'd want to encroach. RB --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]