North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Why do so few mail providers support Port 587?

  • From: Sean Donelan
  • Date: Sat Feb 26 00:25:25 2005

On Fri, 25 Feb 2005 [email protected] wrote:
> Sorry, I misread that.  But I still fail to see how 587 changes that.
> Trojans, viruses, etc. etc. etc. can still exploit the authentication
> system regardless of what port it operates on.  Different port, same old
> problems.

Sigh, if even the network professionals have difficulty understanding
how things work, what hope is there for the rest of the users.

Requiring end-user systems to use only authentication port 587 to
send outbound mail means even if they are infected with trojans, viruses,
etc, they will only be able to send mail via the (few) mail servers on
which they have an authenticated account.  Hopefully, then the local
mail administrator could run server-based anti-virus/anti-spam checks on
the outgoing e-mail from authenticated local users (including those users
which may have had their anti-virus/anti-spam software compromised on
the PC) before forwarding it to other mail servers on the Internet.

When end-users systems have direct access to port 25 on all Internet
mail servers, an end-user system infected with a trojan, viruses, etc
will send mail to other mail servers on the Internet directly without
needing to authenticate itself because mail servers still need to accept
unauthenticated mail from anywhere for local delivery on Port 25. Waiting
for complaints, installing network sniffers (assuming you can find a
sniffer big enough) or conducting intrusive scans of the user's computers
tends to be re-active rather than pro-active; and can result in a
trojan or virus sending large quantities of mail directly from the
infected computer.

Of course, it would be great news and a good goal if end-user computers
were never compromised and their anti-virus definitions were always up
to date, and so on.  But that is a bit unrealistic for unmanaged end-user

Requiring end-user computers to use authenticated Port 587 and blocking
end-user computers access to port 25 has several advantages:

	1. Reduces the number of mail servers to which an infected
end-user computer has direct access without authentication.  They still
have indirect access if their authenticated mail server forwards it
without further checks.
	2. Lets the authenticated mail server conduct additional
anti-virus checks on outgoing mail even if the end-user's computer was
compromised or out-of-date virus definitions.
	3. Separates authenticate mail submission (port 587) from other
mail protocols (25, 110, 143, etc) simplfying network controls (no
deep-packet inspection) for end-user computers.  Eliminates some of the
existing problems with trying to do transparent proxying of port 25 from
end-user computers.
	4. Allows the source network to make exceptions for individual
addresses instead of trying to modify DUL RBL's used by destination
mail servers if an end-user runs their own mail server.
	5. Lets a roaming end-user computer use the same mail
configuration when it is on its "home" network or on a "remote" network to
access its primary authenticated mail server instead of needing to change
to a different local network mail server. If all your users always
use a VPN, this may be less important.

But if none of those change you mind, nothing can force you to offer
Port 587 authenticated mail submmission, VPN or web mail access for
your users.  If you choose not too, that is between you and your users.
There is a good chance your users will experience problems when traveling
or roaming unless you offer some of those alternatives.