[77739] in North American Network Operators' Group
Re: Time to check the rate limits on your mail servers
daemon@ATHENA.MIT.EDU (Todd Vierling)
Thu Feb 3 14:38:05 2005
Date: Thu, 3 Feb 2005 14:36:30 -0500 (EST)
From: Todd Vierling <tv@duh.org>
To: Jason Frisvold <xenophage0@gmail.com>
Cc: "Valdis.Kletnieks@vt.edu" <Valdis.Kletnieks@vt.edu>,
Gadi Evron <ge@linuxbox.org>,
=?ISO-8859-1?Q?J=F8rgen_Hovland?= <jorgen@hovland.cx>,
nanog@merit.edu
In-Reply-To: <924f292805020311026f532cca@mail.gmail.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 3 Feb 2005, Jason Frisvold wrote:
> > > prevents zombies from spamming. Unfortunately, it also blocks
> > > legitimate users from being able to use SMTP AUTH on a remote server..
> >
> > There's a *reason* why RFC2476 specifies port 587....
>
> I assume you're referring to the ability to block port 25 if 587 is
> used for submission. This is great in theory, but if this were the
> case, then the Trojan authors would merely alter their Trojan to use
> port 587.
If they authenticate.
Modulo a stupidity built-in to Sendmail (that Claus Assman ignorantly thinks
is a non-issue[*]), port 587 is not supposed to be used for endpoint MTA
delivery. It's a mail SUBMISSION port, which is supposed to mean that J.
Random Client isn't supposed to use it for delivery purposes.
===
[*] As of now, Sendmail doesn't require one of SMTP AUTH auth by default on
the MSA port; it treats 25 and 587 identically (so that things like
IP-based relay auth work without need for SMTP AUTH).
I sent a m4-only change to the Sendmail maintainers implementing a way
to make 587 allow only relay-authorized clients to send anything at all
by default -- whther IP-based relay auth, or SMTP AUTH, or any other
method built in to the relay-check code path. It was shot down by Claus
because he simply doesn't understand the issue and doesn't think
identical 25 and 587 ports is a threat.
--
-- Todd Vierling <tv@duh.org> <tv@pobox.com>
