[146023] in North American Network Operators' Group
RE: Outgoing SMTP Servers
daemon@ATHENA.MIT.EDU (Brian Johnson)
Mon Oct 31 09:25:59 2011
From: Brian Johnson <bjohnson@drtel.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Mon, 31 Oct 2011 13:23:04 +0000
In-Reply-To: <CAD45i00-We=syA2Sh3UD0TAHfrLS16p2aO9uZYE=k-Lq35C20g@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Bill,
Responses in-line...
>-----Original Message-----
>From: Bill Stewart [mailto:nonobvious@gmail.com]
>Sent: Friday, October 28, 2011 6:22 PM
>To: nanog@nanog.org
>Cc: Brian Johnson
>Subject: Re: Outgoing SMTP Servers
>
<snip>
>
>I've got a strong preference for ISPs to run a
>Block-25-by-default/Enable-when-asked. As a purist, I'd prefer to
>have Internet connections that are actually Internet connections, and
>if you want to run email on a Linux box at home or have an Arduino in
>your refrigerator email the grocery when you're out of milk, you
>should be able to, and if some meddling kid at an ISP wants to block
>it, they should get off your lawn. In practice, of course, somewhere
>between 99.9% and 99.999% of all home MTAs aren't Linux boxes or Macs,
>they're zombie spambots on home PCs, or occasional driveby wifi
>spammers or other pests, and not only should outgoing mail be blocked,
>but the user should be notified and the connection should probably be
>put into some kind of quarantined access.
>
This is, of course, exactly why this blocking is done.
>But that's for Port 25 - the Port 25 blocking by ISPs has largely
>pushed Email Service Providers to use other protocols such as 587 for
>mail submission from an MUA to the MTA, or webmail instead, and it's
>really bad practice for ISPs to interfere with that. In some cases
>they'll still be sending spam, but that's the MTA's job to filter out,
>and if they don't, they'll end up on a bunch of RBLs. (And generally
>they'll be trying to keep their mail clean themselves - if the MTA
>providers were spammers, they wouldn't need to go to the trouble of
>having actual residential users as customers when they could
>mass-produce it cheaper directly.)
For clarity it's really bad for ISPs to block ports other than 25 for the p=
urposes of mail flow control... correct?
I would not block submission ports, specifically 587. More specifically, th=
e only port I will block would be 25. The RFC actually says to use the subm=
ission port for the MUA to MTA anyways. RFC 5068 is definitive on this iss=
ue. Also read RFC 4409 and its predecessors.
My take on this is that it IS best practice to have users use the submissio=
n port (587) for mail submission from the MUA to an MTA.
Call me a liar! :)=20
- Brian
