Customer-facing ACLs


Date: Tue, 11 Mar 2008 07:58:01 +0800
From: Ang Kah Yik <>
Subject: Customer-facing ACLs

Hi Justin (and all others on-list)

I understand your grounds for blocking outbound SMTP for your customers
(especially those on dynamic IP connections).
It probably will do good to block infected customers that are spewing
spam all over the world.

However, considering the number of mobile workers out there who send
email via their laptops to corporate SMTP servers, won't blocking
outbound SMTP affect them?

Since these corporate types (I'm guessing here) are probably unaware of
how to change their email client's SMTP configurations, chances are
blocking outbound SMTP will probably cause quite a lot of pain.

After all, there are also those who frequently move from place to place
so they're going to have to keep changing SMTP servers every time they
go to a new place that's on a different ISP.

- --
ANG Kah Yik (bangky)


One would hope mobile commuters are using something more secure
than just raw SMTP to send e-mail if their network admins have
any sense. The usual combination requires a POP connection first
or uses a port other than 25 to send. As a customer my home DSL
service provider (SBC) blocks port 25 by default. Many firewalls can
be programmed to allow 'related' connections. Ie. if a POP connection
is opened then allow the SMTP connection.

The real solution is to move to imap or msa (port 587) or the latest
MS exchange protocol (whatever it is).

As for blocking FTP and SSH, it would depend A LOT on your customer base.

As a content provider we do not allow raw NetBios into our network.
Anyone that wants to use remote file sharing to work on their windows server
is encouraged (Whips and Chains if necessary) to use a VPN tunnel.

If you are going to block something, block port 135 both directions.