[107673] in North American Network Operators' Group
Re: ingress SMTP
daemon@ATHENA.MIT.EDU (Joel Jaeggli)
Wed Sep 10 20:22:42 2008
Date: Wed, 10 Sep 2008 17:20:58 -0700
From: Joel Jaeggli <joelja@bogus.com>
To: "Jay R. Ashworth" <jra@baylink.com>
In-Reply-To: <20080903190015.GS8979@cgi.jachomes.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Jay R. Ashworth wrote:
> On Wed, Sep 03, 2008 at 12:58:53PM -0400, Nicholas Suan wrote:
>> On Sep 3, 2008, at 12:49 PM, Jay R. Ashworth wrote:
>>> You're forgetting that 587 *is authenticated, always*.
>> I'm not sure how that makes much of a difference since the usual spam
>> vector is malware that has (almost) complete control of the machine
>> in the first place.
>
> Well, that depends on MUA design, of course, but it's just been pointed
> out to me that the RFC says MAY, not MUST.
>
> Oops.
>
> Does anyone bother to run an MSA on 587 and *not* require authentication?
All my normal relay or lack thereof and delivery rules are in place on
my 587 port. Of course muas's and mtas will also do tls as well as
authentication over port 25 where available. I don't sea any reason to
preclude a host that would be allowed to relay via 25 to do so via 587...
Congruent policy makes administration simpler.
> Cheers,
> -- jra
