Marc Perkel wrote:
John Rudd wrote:
Marc Perkel wrote:
Jari Fredriksson wrote:
[EMAIL PROTECTED] wrote:
If port 25 were blocked from consumers and they were forced to talk to
servers on port 587, even without authentication, then a server could
distinguish consumers from other servers. I think this kind of
configuration could be used to help isolate virus infected computers
from spamming and spreading.
What would prevent virus infected computers from using the port 587
of that would be the common usage?
What would prevent it is that if you use separate servers or separate
IP addresses for email that your are recieving from other servers
than the ones that you use for outgoing customers then port 587 would
be closed. 587 would only be open for customers (usually
authenticated) on machine sending, not receiving email. Port 25 would
become a server to server port and 587 would be a user to server
port. Users would have port 25 blocked so they can't talk to the
server to server traffic.
So, what about your customers who are out roaming, using random
hot-spots at cafe's, with their laptops, who want to send an outgoing
email using the same client that they use when their laptop is at home?
Why can't they connect to the same mail server, using the same port
they always do, using SMTP-AUTH to prove who they are, and thus send
their outbound email. If you make them change ports just because
they're roaming, then you're making their mail server configurations
needlessly complicated.
Yet, because they're on an IP you don't own (and that they don't own,
depending on how you register your "customer IP's"), you can't easily
detect whether or not they're your customer until they do the
SMTP-AUTH. So blocking 587 to IPs that aren't known to you will keep
your customers from having roaming laptops, smart cell phones, etc.
And blocking port 25 to IPs that are known to you wont keep your
customers from trying port 25 (if they happen to be out roaming).
Roaming users are a reality that every non-trivial mail service needs
to support.
I think you aren't understanding what I'm talking about. I have a server
for outgoing email for roaming people with laptops with port 587 open so
they can send email from anywhere. I have several other servers that are
used as incoming email servers to accept email from the internet for
1600 domains and on those servers port 587 is closed because there is no
reason for end users to talk to that server directly. The idea is to
force outgoing consumer email to port 587 and server to server email on
port 25. Then you can block port 25 for consumers so their viruses
aren't hitting my incoming servers.
What stops your customers from submitting to port 25 on your port 25
machines, when they're out roaming (ie. not on an IP address from which
you have blocked port 25 traffic)?
That's part of what I was saying. Simply segregating which IPs are
blocked for port 25 isn't going to help. You either have to restrict
roaming (bad) or you have to accept that they might connect to you on
port 25 when they're roaming.
IMO, SMTP-AUTH is a better arbiter of "is my user or isn't my user" than
what port they used or what IP address they are or aren't on.
Segregating by IP is pretty useless, except in whitelisting the machines
you directly manage. And I certainly don't use it as a part of virus
control.
