Ok, so we are passing back and forth negatives/positives of our current SMTP policy, and are looking for answers on what others are doing. I'm going to list what we have done, currently doing, and looking for feedback on what you do...
Option 1. Block all outgoing port 25 with the exception of your own mail server. Allow for relaying of all email originating from your network. You are now open to viruses that spam on your network, getting you listed as a spam server. Option 2. Block all outgoing port 25 with the exception of your own mail server, require authentication to send email from your server, using the same authentication that is being done with POP3/IMAP. This works fine, users authenticate, however dictionary attacks leave you open to spammers taking control of a user account and using you to spam. Option 3. Block all outgoing port 25 with the exception of your own mail server, require authentication to send email from your server, using the same authentication that is being done with POP3/IMAP. Require all users who authenticate to only email using the authenticated email address. This works fine, users authenticate, prevents dictionary attacks because now the spammer has to identify themselves as the email address for the account they are using, and can't use a simple username as "joe", meaning user joe has to send as j...@shelbybb.com and know the j...@shelbybb.com is the full email account. We host multiple domains, so j...@shelbywireless.com works but not j...@shelbybb.com for example. This however also effects people who have outside email accounts as they can no longer send email using that outside account. My response here is that a large amount of hosts use port 587 as the alternate mail server, and for us that is an acceptable work around that our users will have to do. This is what we currently do. Option 4. Leave Port 25 open setup a rule in the firewall to monitor amount of messages going through and add to address list when they breach the threshold. Regards, Chuck Hogg Shelby Broadband 502-722-9292 ch...@shelbybb.com <mailto:ch...@shelbybb.com> http://www.shelbybb.com <http://www.shelbybb.com> -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/