[67584] in North American Network Operators' Group
SMTP relaying policies for Commercial ISP customers...?
daemon@ATHENA.MIT.EDU (Dan Ellis)
Fri Feb 13 09:01:24 2004
Date: Fri, 13 Feb 2004 09:00:04 -0500
From: "Dan Ellis" <ellis@corp.ptd.net>
To: <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
This is a multi-part message in MIME format.
------_=_NextPart_001_01C3F239.AE654710
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
My apologies for another annoying SMTP thread.
=20
So, while considering enabling SMTPAUTH for all our customers, I'm
planning on placing firm policy on relaying. We're a regional broadband
ISP/MSO that also serves a significant number of educational and
commercial cable/DSL connections as well as a large number of
T1/T3/OC3/Ethernet customers.
=20
That leaves with me needing to define how we will handle 3 situations: =20
1) Residential (a few dynamic IP computers)
2) Broadband Commercial (Static IP and a few forwarded IP's, a
dozen end user PC's)
3) Dedicated commercial customers (t1/ds3/Ethernet/oc3)
=20
=20
HISTORY: Old school thought was that as long as you are on an ISP's IP
space, you can use them to relay. This made it easy for roamers as
everyone would use the ISP's mailserver for outbound, and their
mailserver for inbound. Yes - there was always a fuzzy line for
t1/ds3/oc3 customers because some ISP's allowed their space to relay and
some did not. I'm trying to determine what the "new school" thoughts
are.
=20
Below are my thoughts and concerns on each. I'm interested in hearing
what others have implemented regarding policy, what the large NSP's have
implemented, and what your thoughts are. =20
=20
1) Residential Policy: Enable SMTPAUTH and disallow relaying
unless the customer has a valid username/password. If you're not paying
for a mailbox, you don't get to relay outbound. This should not break
anything except those residential accounts that *should* be commercial
anyway.
2) Broadband commercial: This is the difficult one. These are the
customers that aren't big enough to rightfully run their own mailserver,
but they are big enough to have roaming users on their networks (coffee
shops, branch offices, hotels, SOHO....). They expect relaying service
for either their mailserver or for all their various PC's. At the same
time, they don't have many, if any mailboxes through the ISP. My
thought is that they should ONLY be allowed to relay via SMTPAUTH by
using a residential mailbox login/pass OR they need to purchase a
commercial relay service (expensive because of the openness of it) for
their IP space.
3) T1+ : These customers should not be allowed to relay unless
they purchase (expensive) relay services for their IP space. Of course,
they can always use a residential mailbox, but will have to use SMTPAUTH
for it and will be restrained by the same policies residential mailboxes
have (low tolerance tarpitting,...).
=20
=20
As always, thanks in advance.
--Dan
=20
=20
--
Daniel Ellis, CTO, PenTeleData
(610)826-9293
=20
------_=_NextPart_001_01C3F239.AE654710
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
/* List Definitions */
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>My apologies for another annoying SMTP =
thread.</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>So, while considering enabling SMTPAUTH for all our
customers, I’m planning on placing firm policy on relaying. =
We’re
a regional broadband ISP/MSO that also serves a significant number of
educational and commercial cable/DSL connections as well as a large =
number of
T1/T3/OC3/Ethernet customers.</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>That leaves with me needing to define how we will =
handle 3
situations: </span></font></p>
<p class=3DMsoNormal =
style=3D'margin-left:.75in;text-indent:-.25in'><font size=3D2
face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>1)<font =
size=3D1
face=3D"Times New Roman"><span style=3D'font:7.0pt "Times New =
Roman"'>
</span></font></span></font><font size=3D2 face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial'>Residential (a few dynamic IP =
computers)</span></font></p>
<p class=3DMsoNormal =
style=3D'margin-left:.75in;text-indent:-.25in'><font size=3D2
face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>2)<font =
size=3D1
face=3D"Times New Roman"><span style=3D'font:7.0pt "Times New =
Roman"'>
</span></font></span></font><font size=3D2 face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial'>Broadband Commercial (Static IP and a few =
forwarded
IP’s, a dozen end user PC’s)</span></font></p>
<p class=3DMsoNormal =
style=3D'margin-left:.75in;text-indent:-.25in'><font size=3D2
face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>3)<font =
size=3D1
face=3D"Times New Roman"><span style=3D'font:7.0pt "Times New =
Roman"'>
</span></font></span></font><font size=3D2 face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial'>Dedicated commercial customers =
(t1/ds3/Ethernet/oc3)</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>HISTORY: Old school thought was that as long as =
you
are on an ISP’s IP space, you can use them to relay. This =
made it
easy for roamers as everyone would use the ISP’s mailserver for =
outbound,
and their mailserver for inbound. Yes – there was always a =
fuzzy
line for t1/ds3/oc3 customers because some ISP’s allowed their =
space to
relay and some did not. I’m trying to determine what the =
“new
school” thoughts are.</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Below are my thoughts and concerns on each. =
I’m
interested in hearing what others have implemented regarding policy, =
what the
large NSP’s have implemented, and what your thoughts are. =
</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal style=3D'margin-left:.5in;text-indent:-.25in'><font =
size=3D2
face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>1)<font =
size=3D1
face=3D"Times New Roman"><span style=3D'font:7.0pt "Times New =
Roman"'>
</span></font></span></font><font size=3D2 face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial'>Residential Policy: Enable SMTPAUTH and
disallow relaying unless the customer has a valid =
username/password. If
you’re not paying for a mailbox, you don’t get to relay =
outbound.
This should not break anything except those residential accounts that =
*<b><span
style=3D'font-weight:bold'>should</span></b>* be commercial =
anyway.</span></font></p>
<p class=3DMsoNormal style=3D'margin-left:.5in;text-indent:-.25in'><font =
size=3D2
face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>2)<font =
size=3D1
face=3D"Times New Roman"><span style=3D'font:7.0pt "Times New =
Roman"'>
</span></font></span></font><font size=3D2 face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial'>Broadband commercial: This is the difficult
one. These are the customers that aren’t big enough to =
rightfully
run their own mailserver, but they are big enough to have roaming users =
on
their networks (coffee shops, branch offices, hotels, =
</span></font><font
size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>SOHO</span></font><font
size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>….).
They expect relaying service for either their mailserver or for all =
their
various PC’s. At the same time, they don’t have many, =
if any
mailboxes through the ISP. My thought is that they should ONLY be =
allowed
to relay via SMTPAUTH by using a residential mailbox login/pass OR they =
need to
purchase a commercial relay service (expensive because of the openness =
of it) for
their IP space.</span></font></p>
<p class=3DMsoNormal style=3D'margin-left:.5in;text-indent:-.25in'><font =
size=3D2
face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>3)<font =
size=3D1
face=3D"Times New Roman"><span style=3D'font:7.0pt "Times New =
Roman"'>
</span></font></span></font><font size=3D2 face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial'>T1+ : These customers should not be allowed to =
relay
unless they purchase (expensive) relay services for their IP =
space. Of
course, they can always use a residential mailbox, but will have to use
SMTPAUTH for it and will be restrained by the same policies residential
mailboxes have (low tolerance tarpitting,…).</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>As always, thanks in advance.</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>--Dan</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D1 color=3D"#008040" face=3D"Times New =
Roman"><span
style=3D'font-size:7.5pt;color:#008040'>--</span></font></p>
<p class=3DMsoNormal><font size=3D1 color=3D"#008040" face=3D"Times New =
Roman"><span
style=3D'font-size:7.5pt;color:#008040'>Daniel Ellis, CTO, =
PenTeleData</span></font></p>
<p class=3DMsoNormal><font size=3D1 color=3D"#008040" face=3D"Times New =
Roman"><span
style=3D'font-size:7.5pt;color:#008040'>(610)826-9293</span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'> </span></font></p>
</div>
</body>
</html>
------_=_NextPart_001_01C3F239.AE654710--
