[78314] in North American Network Operators' Group
Re: Why do so few mail providers support Port 587?
daemon@ATHENA.MIT.EDU (Nils Ketelsen)
Tue Mar 1 09:21:37 2005
Date: Tue, 1 Mar 2005 09:18:19 -0500
From: Nils Ketelsen <nils.ketelsen@kuehne-nagel.com>
To: nanog@merit.edu
Mail-Followup-To: nanog@merit.edu
In-Reply-To: <200502282213.j1SMDaXI015679@turing-police.cc.vt.edu>; from Valdis.Kletnieks@vt.edu on Mon, Feb 28, 2005 at 05:13:35PM -0500
Errors-To: owner-nanog@merit.edu
On Mon, Feb 28, 2005 at 05:13:35PM -0500, Valdis.Kletnieks@vt.edu wrote:
> On Mon, 28 Feb 2005 16:54:23 EST, Nils Ketelsen said:
> > An interesting theory. What is the substantial difference? For
> > me the security implications of "allowing the user to bypass our
> > mailsystem on port 25" and ""allowing the user to bypass our mailsystem on
> > port 587" are not as obvious as they maybe are to you.
>
> The big difference is that if they connect on outbound 25, they're basically
> unauthenticated at the other end. Port 587 "should be" authenticated, which
> means that the machine making the connection out is presumably a legitimate
> user of the destination mail server.
Okay, the main difference seems to be:
1. People here trust, that mailservers on port 587 will have
better configurations than mailservers on port 25 have today. I
do not share this positive attitude.
2. Port 587 Mailservers only make sense, when other Providers block
port 25. My point is: If my ISP blocks any outgoing port, he is no longer
an ISP I will buy service from. Therefore I do not need a 587-Mailserver,
as I do not use any ISP with Port 25-Blocking for connecting my sites or
users.
> If you're managing a corporate network, then yes, the distinction isn't
> that obvious, as you're restricting your own users. If you're running an
> ISP, you're being paid to *connect* people to other places, and making it
> more difficult than necessary is.. well... a Randy Bush quote. ;)
I agree. Just as I said: If the ISP blocks (and I do not care which port
he blocks), then it's time to go and look for another ISP. If I buy
Internet I do not want a provider that decides for me which parts of it I
am allowed to use today and which I am not.
"Wehret den Anfaengen" is the german saying, I currently cannot find a
good translation for.
Nils
