Re: [fw-wiz] SMTP forwarding question

From: Devdas Bhagat (
Date: 10/01/04

  • Next message: Luke Butcher: "RE: [fw-wiz] DMZ Ideas"
    Date: Fri, 1 Oct 2004 04:04:33 +0530

    On 30/09/04 22:18 +0200, Nagy Attila wrote:
    > Marcus J. Ranum wrote:
    > > > The problem: there is a network from which all outgoing SMTP connections
    > > > should be handled by the company's mail gateway (virus and spam checking,
    > > > etc) BUT the roaming users must be able to use their companies' SMTP
    > > > server, possibly via SMTP AUTH (with or without starttls) and/or POP
    > > > before SMTP (or any other solutions which work over tcp/25).

    > > First off, that's a stupid policy - fortunately it's not mine so I
    > > won't say any more about it than what I already have...

    > I think the only thing why you think it's stupid is that I've left off
    > an important information:
    > the given company would be an ISP, which has a lot of problems about
    > their users spamming and flooding the world with viruses.

    So? We blocked port 25 outbound with no major issues earlier. Blocking
    port 25 for Windows users is probably the biggest favour that you can do
    for the Internet.

    > If the ISP blocks outgoing tcp/25, then all of its users who use other
    > SMTP servers on the internet (for example with POP before
    > SMTP or via SMTP AUTH) will not be able to use their server.

    Thats what port 587/tcp is for.

    > I am aware of the fact, that a clear policy should be that every user
    > MUST send mail via, but as the Earth's shape is not
    > exactly round, the users say that if they cannot send mail from their
    > notebook from ISP A to ISP B (via authenticated SMTP) and it works from
    > ISP C, then they will choose ISP C, not A.
    > That's the problem. If ISP A blocks outgoing SMTP, the users have to
    > reconfigure their notebooks.

    Nope. They just need to be using 587/tcp from the beginning. Block port
    25, make it clear why you are doing that, and help the users understand
    why it is necessary.

    If you aren't, let us know the IP blocks that the users are assigned, and
    not the smarthosts. We will be more than glad to block dynamic IPs.

    > And users doesn't want this, instead they choose another ISP.
    > > This could probably be done with the proxy transparency rules of
    > > some old-school firewalls, or with redirector rules in a load-balancer.
    > Could you name any product which can store some state about the current
    > SMTP session, decide what are we talking about (authenticated SMTP to a
    > foreign ISP or a simple mail to anyone in the world) and route the
    > traffic either the local mail server or transparently to the original one?

    You will end up writing your own. The alternative is to use something
    like AOLs system of forwarding port 25 to their own systems and
    hijacking the TCP connection.

    Devdas Bhagat
    firewall-wizards mailing list

  • Next message: Luke Butcher: "RE: [fw-wiz] DMZ Ideas"

    Relevant Pages

    • Re: Current status?
      ... You would still need to know who your MTA is ... justification for allowing anybody to use port 25. ... to the problem of how to get the email system to be more immune to SPAM. ... your ISP should never allow you ...
    • Re: Cam Setup
      ... I have to enable uPnP in my router and use a web server provided by Panasonic to provide a fixed IP address so I can access the cam from anywhere. ... Your ISP has a Terms of Service. ... Operating a "server" on your home LAN, port forwarding ...
    • Re: SMTP Server for outgoing only behind a home router
      ... They cliam to ONLY block port 80 to keep me from ... you will get a 220 greeting line from the remote SMTP server: ... So AOL.COM methods stops legitimate roaming users from using ESMTP AUTH to ... So look to see of your ISP supports ESMTP AUTH for dynamic IP users and/or ...
    • Re: Current status?
      ... spam will not stop because you start blocking port 25. ... I still won't use the idiots running the ISP for my mail. ...
    • Re: Current status?
      ... I'm on Verizon FIOS at home and I know the FIOS converter box ... port 25 traffic wouldn't make it to my LAN (or single computer ... ISP, ... through a mailhub with a fixed IP address - for most people the simplest to ...