[145885] in North American Network Operators' Group
Re: Outgoing SMTP Servers
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Oct 25 18:00:18 2011
In-Reply-To: <CAAAas8EwPjo0ju9nz8av7ov2EUVV3ryBWDfYD+O_UZY5SUkpyA@mail.gmail.com>
From: Owen DeLong <owen@delong.com>
Date: Tue, 25 Oct 2011 15:56:17 -0600
To: Mike Jones <mike@mikejones.in>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
No no no no no.=20
The problem with your theory below is that:
1. It is by far best for users to authenticate to send mail.=20
2. Your "solution" works only for unencrypted unauthenticated users that ign=
ore the certificate presented by the mail server.=20
Put another way, your mechanism rewards those doing the wrong thing while pu=
nishing those of us sending our email via encrypted and authenticated mechan=
isms.=20
That's a very bad thing.=20
Owen
Sent from my iPhone
On Oct 25, 2011, at 15:03, Mike Jones <mike@mikejones.in> wrote:
> On 25 October 2011 20:52, Alex Harrowell <a.harrowell@gmail.com> wrote:
>> Ricky Beam <jfbeam@gmail.com> wrote:
>>=20
>>> Works perfectly even in networks where a VPN doesn't and the idiot
>>> hotel
>>> intercepts port 25 (not blocks, redirects to *their* server.)
>>>=20
>>> --Ricky
>>=20
>> Why do they do that?
>>=20
>=20
> My home ISP run an open relay on port 25 with IP-based authentication,
> so I might configure my laptops email client to send email via
> smtp.myisp.com port 25 (many/most? residential ISPs have
> unauthenticated relays, even ISPs that tell you to use authentication
> often have another server next to it that doesn't need authentication
> for customer IP space)
>=20
> If the hotel simply blocks port 25 then my email is broken, if they
> allow it then my email is broken (as my ISP doesn't let the hotel
> relay through their mail servers), however if the hotel redirects 25
> to their own open relays then in theory my email should work fine.
>=20
> They could always tell people "there is a relay at 10.0.0.25 so you
> can change your settings to use that", however by redirecting all port
> 25 traffic there they are effectively forcibly auto-configuring anyone
> who was already configured to send via an unauthenticated server on
> port 25. They are probably acting under the assumption that the only
> people using 25 are using it for unauthenticated access, I believe
> most servers that do use authentication tell users to use alternate
> ports so this is probably a reasonable assumption.
>=20
> Compared to straight blocking of port 25 it's probably better as long
> as the relay it is redirecting you to works properly so you don't have
> to try and diagnose issues - However considering the quality of the
> average hotel network I suspect most of them that are trying to do
> this probably have it set to redirect to a dead server anyway.
>=20
> - Mike
