Hi Justin (and all others on-list)
I understand your grounds for blocking outbound SMTP for your customers (especially those on dynamic IP connections).
It probably will do good to block infected customers that are spewing spam all over the world.
However, considering the number of mobile workers out there who send email via their laptops to corporate SMTP servers, won't blocking outbound SMTP affect them?
Since these corporate types (I'm guessing here) are probably unaware of how to change their email client's SMTP configurations, chances are that blocking outbound SMTP will probably cause quite a lot of pain.
After all, there are also those who frequently move from place to place so they're going to have to keep changing SMTP servers every time they go to a new place that's on a different ISP.
Cheers
For what it's worth, that's what port 587 was created for.
And wouldn't those corporate types require VPN to access the network?
On top of that, most who "block" 25 don't block it but direct it to
internal mail servers where it can be subjected to limits and filtering.
Andy
Hi Andy (and all who responded),
Thanks for the heads-up on the redirection on SMTP traffic. I've yet to see an implementation of it but I agree that it's a possible solution.
As for the issue I raised previously, perhaps corporate users isn't a good example but what about users of email services such as Gmail and the like?
Some users do use the SMTP service instead of the web interface. But redirection should do the trick.
And thanks to all who remind me about rfc 2476 - I'm not a mail admin so I'm not familiar with it but I'll read up on it.
Andy Dills wrote:
Hi Justin (and all others on-list)
I understand your grounds for blocking outbound SMTP for your customers
(especially those on dynamic IP connections).
It probably will do good to block infected customers that are spewing
spam all over the world.
However, considering the number of mobile workers out there who send
email via their laptops to corporate SMTP servers, won't blocking
outbound SMTP affect them?
vpns fix this...
Since these corporate types (I'm guessing here) are probably unaware of
how to change their email client's SMTP configurations, chances are that
blocking outbound SMTP will probably cause quite a lot of pain.
uunet dialup has blocked port25 in both directions since 2002...
little to no complaints. (well, they may have received complaints
since I left, but... thank John StClair for the work behind that
filtering actually.)
After all, there are also those who frequently move from place to place
so they're going to have to keep changing SMTP servers every time they
go to a new place that's on a different ISP.
many config's actually just use WCCP to transparently redirect your
smtp to an authorized SMTP server as Andy Dills points out.
-Chris
Ang Kah Yik wrote:
However, considering the number of mobile workers out there who send email via their laptops to corporate SMTP servers, won't blocking outbound SMTP affect them?
After all, there are also those who frequently move from place to place so they're going to have to keep changing SMTP servers every time they go to a new place that's on a different ISP.
Thanks for joining the discussion. Frankly I'd be surprised to find many corps with an externally-accessible SMTP server that would accept mail on tcp/25. The only way they'd do it is with SMTP AUTH which (hopefully) implies the use of SMTP TLS as well. I know of very few corps that actually do this. Most of the corps I can think of are either running Exchange and utilizing RPC over HTTP, simply point their users to their company's webmail server, or require that their users VPN back to HQ to access their internal MTA. The sites that I can think of with external user-accessible SMTP daemons are entities with highly technical users. They utilize SMTP AUTH, TLS, and the Mail Submission Port on tcp/587. I'm afraid they are in the minority though.
The MSP port is the best way to get around the blocks with decent MTAs. Your local MTA's support for other non-standard mechanisms for relaying mail from untrusted networks may also help with this problem (RPC over HTTP). Other than that I don't think there's enough demand for outgoing SMTP from the masses to warrant not blocking it. Redirecting generally takes care of that anyway.
Thanks for the input though. All thoughts are welcome.
Justin
Those using Google for SMTP can still use their ISP's SMTP servers for
outbound....
Frank
Doesn't anyone RTFM before posting anymore?
http://mail.google.com/support/bin/answer.py?hl=en&answer=13287
# Configure your client to match the settings below:
Incoming Mail (POP3) Server - requires SSL: pop.gmail.com
Use SSL: Yes
Port: 995
Outgoing Mail (SMTP) Server - requires TLS: smtp.gmail.com (use authentication)
Use Authentication: Yes
Use STARTTLS: Yes (some clients call this SSL)
Port: 465 or 587
There is no need to use smtp on port 25 with gmail. configure the client according to gmail's instructions and use 465 or 587.
jc
Frank Bulk - iNAME wrote: