[107454] in North American Network Operators' Group
ingress SMTP
daemon@ATHENA.MIT.EDU (Keith Medcalf)
Wed Sep 3 20:39:29 2008
Date: Wed, 03 Sep 2008 20:34:12 -0400
From: "Keith Medcalf" <kmedcalf@dessus.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On Wed, Sep 03, 2008 at 12:58:53PM -0400, Nicholas Suan wrote:
> > On Sep 3, 2008, at 12:49 PM, Jay R. Ashworth wrote:
> > >You're forgetting that 587 *is authenticated, always*.
> > I'm not sure how that makes much of a difference since the
> > usual spam vector is malware that has (almost) complete
> > control of the machine in the first place.
> Well, that depends on MUA design, of course, but it's just
> been pointed out to me that the RFC says MAY, not MUST.
> Oops.
> Does anyone bother to run an MSA on 587 and *not* require
> authentication?
Raises hand.
Why would the requirements for authentication be different depending on the=
port used to connect to the MTA?
No matter how a session comes into the MTA (port 25, 465, 587, anything els=
e) and no matter whether it is encrypted or not, the requirement for authen=
tication (which is always available and advertized), is based on a simple p=
olicy:
- local delivery originating from a non-blacklisted or "internal/customer"=
address does not require authentication;
- relay from "internal/customer" IP Addresses does not require authenticat=
ion;
- any connection from a blacklisted IP requires authentication or no mail =
will be accepted;
- relay from "external/non-customer" IP Addresses requires authentication;
Is there a valid reason why a different configuration is justified?
As an aside, outbound port 25 traffic is also blocked except from the MTA.
