North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Time to check the rate limits on your mail servers
On Thu, 3 Feb 2005, Jason Frisvold wrote: > > > prevents zombies from spamming. Unfortunately, it also blocks > > > legitimate users from being able to use SMTP AUTH on a remote server.. > > > > There's a *reason* why RFC2476 specifies port 587.... > > I assume you're referring to the ability to block port 25 if 587 is > used for submission. This is great in theory, but if this were the > case, then the Trojan authors would merely alter their Trojan to use > port 587. If they authenticate. Modulo a stupidity built-in to Sendmail (that Claus Assman ignorantly thinks is a non-issue[*]), port 587 is not supposed to be used for endpoint MTA delivery. It's a mail SUBMISSION port, which is supposed to mean that J. Random Client isn't supposed to use it for delivery purposes. === [*] As of now, Sendmail doesn't require one of SMTP AUTH auth by default on the MSA port; it treats 25 and 587 identically (so that things like IP-based relay auth work without need for SMTP AUTH). I sent a m4-only change to the Sendmail maintainers implementing a way to make 587 allow only relay-authorized clients to send anything at all by default -- whther IP-based relay auth, or SMTP AUTH, or any other method built in to the relay-check code path. It was shot down by Claus because he simply doesn't understand the issue and doesn't think identical 25 and 587 ports is a threat. -- -- Todd Vierling <[email protected]> <[email protected]>
|