Re: [fw-wiz] SMTP forwarding question

From: Jim Seymour (jseymour_at_linxnet.com)
Date: 10/01/04

  • Next message: Mark Tinberg: "Re: [fw-wiz] Log checking?"
    To: firewall-wizards@honor.icsalabs.com
    Date: Thu, 30 Sep 2004 19:33:08 -0400 (EDT)
    
    

    Nagy Attila <bra@fsn.hu> wrote:
    >
    [snip]
    > I think the only thing why you think it's stupid is that I've left off
    > an important information:
    > the given company would be an ISP, which has a lot of problems about
    > their users spamming and flooding the world with viruses.

    Gee, just a small detail, eh?

    >
    > If the ISP blocks outgoing tcp/25, then all of its users who use other
    > SMTP servers on the internet (for example mail.ispB.com with POP before
    > SMTP or via SMTP AUTH) will not be able to use their server.

    Almost the same answer I gave before, except for the pop3 part. Port
    25 should be blocked except to your SMTP servers. Only exception is
    static IP assignments that are *not* buried in otherwise dynamic
    blocks. (Usually business, small-office/home-office class services.)

    All others must use port 465 (smtps) or 587 (submission).

    >
    > I am aware of the fact, that a clear policy should be that every user
    > MUST send mail via mail.ispA.com, but as the Earth's shape is not
    > exactly round, the users say that if they cannot send mail from their
    > notebook from ISP A to ISP B (via authenticated SMTP) and it works from
    > ISP C, then they will choose ISP C, not A.
    [snip]

    ISP C will block port 25, sooner-or-later, or ISP C will find its
    traffic widely refused on the Internet.

    The days of allowing random machines to make random connections on port
    25 are fast coming to an end. You can thank spammers and uncle Bill
    for that.

    Jim
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Mark Tinberg: "Re: [fw-wiz] Log checking?"