[145930] in North American Network Operators' Group
Re: Outgoing SMTP Servers
daemon@ATHENA.MIT.EDU (Leigh Porter)
Wed Oct 26 18:43:43 2011
From: Leigh Porter <leigh.porter@ukbroadband.com>
To: Mark Andrews <marka@isc.org>
Date: Wed, 26 Oct 2011 22:43:56 +0000
In-Reply-To: <20111026221141.CD45515FDD78@drugs.dv.isc.org>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 26 Oct 2011, at 23:13, "Mark Andrews" <marka@isc.org> wrote:
>=20
> In message <op.v3y8xvo6tfhldh@rbeam.xactional.com>, "Ricky Beam" writes:=
>> On Tue, 25 Oct 2011 15:52:46 -0400, Alex Harrowell <a.harrowell@gmail.c=
om> =20
>> wrote:>
>>> Why do they do that?
>>=20
>> You'd have to ask them. Or more accurately, you'd need to ask their =20=
>> system integrator -- I've never seen an "in house" network run like tha=
t. =20
>> (and for the record, they were charging for that shitty network access.=
)
>>=20
>> Bottom line: Blocking port 25 (smtp) is undesirable, but necessary for =
a =20
>> modern consumer internet. (Translation: It f'ing works.) This is the IS=
P =20
>> saying, "You aren't a mail *server*." =20
>=20
> MTA =3D=3D Mail Transfer Agent. You don't have to be a *server* to be
> a MTA. Blocking SMTP also prevents your customers running encrypted
> mail sessions to prevent nosy ISP's and others looking at what they
> are sending. With DNSSEC now being deployed and DANE being
> standardised, running a SMTP session with STARTTLS is being a
> reality.
>=20
This is what I used to do.
Any outgoing port 25 was sunk into a pool of SMTP proxies that I wrote. Th=
ese proxies would look for signs of authentication and if they found them,=
the session would be proxied to the original destination SMTP server from=
the same IP address of the originating host.
Anything else was proxied to the pool of Ironports which would rate limit =
and otherwise SPAM examine the mail.
That way people using authenticated servers would be allowed through on th=
e assumption that in all likelihood they were OK. Others who do not auth o=
r are SPAM bots would be scrubbed and rate limited quite severely.
Our own customers were encouraged to use our outbound SMTP hosts which wou=
ld either authenticate them if external or just allow them if internal, bu=
t with the SPAM scrubbing and less severe rate limiting enabled,
Customers who need a higher volume of outbound mail can call us and authen=
ticate to the SMTP servers and we can set them a bespoke profile for rate =
limiting and message size etc etc.
That worked rather well because people's email got out and SPAM was largel=
y stopped.
The Ironports were darn good boxes if a little pricey,
--
Leigh Porter
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email=20
______________________________________________________________________
