North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Time to check the rate limits on your mail servers

  • From: Todd Vierling
  • Date: Thu Feb 03 14:39:10 2005

On Thu, 3 Feb 2005, Jason Frisvold wrote:

> > > prevents zombies from spamming.  Unfortunately, it also blocks
> > > legitimate users from being able to use SMTP AUTH on a remote server..
> >
> > There's a *reason* why RFC2476 specifies port 587....
> I assume you're referring to the ability to block port 25 if 587 is
> used for submission.  This is great in theory, but if this were the
> case, then the Trojan authors would merely alter their Trojan to use
> port 587.

If they authenticate.

Modulo a stupidity built-in to Sendmail (that Claus Assman ignorantly thinks
is a non-issue[*]), port 587 is not supposed to be used for endpoint MTA
delivery.  It's a mail SUBMISSION port, which is supposed to mean that J.
Random Client isn't supposed to use it for delivery purposes.


[*] As of now, Sendmail doesn't require one of SMTP AUTH auth by default on
    the MSA port; it treats 25 and 587 identically (so that things like
    IP-based relay auth work without need for SMTP AUTH).

    I sent a m4-only change to the Sendmail maintainers implementing a way
    to make 587 allow only relay-authorized clients to send anything at all
    by default -- whther IP-based relay auth, or SMTP AUTH, or any other
    method built in to the relay-check code path.  It was shot down by Claus
    because he simply doesn't understand the issue and doesn't think
    identical 25 and 587 ports is a threat.

-- Todd Vierling <[email protected]> <[email protected]>