North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Why do so few mail providers support Port 587?

  • From: Steven M. Bellovin
  • Date: Mon Feb 28 13:42:06 2005

In message <[email protected]>, Sean Donelan

>Requiring end-user computers to use authenticated Port 587 and blocking
>end-user computers access to port 25 has several advantages:
>	2. Lets the authenticated mail server conduct additional
>anti-virus checks on outgoing mail even if the end-user's computer was
>compromised or out-of-date virus definitions.
>	3. Separates authenticate mail submission (port 587) from other
>mail protocols (25, 110, 143, etc) simplfying network controls (no
>deep-packet inspection) for end-user computers.  Eliminates some of the
>existing problems with trying to do transparent proxying of port 25 from
>end-user computers.

What these two boil down it is a much simpler mail system architecture, 
which in turn translates to a more secure mail system and an 
easier-to-administer one.

Consider the control flow if you're trying to use port 25 for 

	Send a 220

	If you see an EHLO, advertise that you support STARTTLS

	If you receive a STARTTLS and another EHLO, advertise that
	you support AUTH -- you don't want to do authentication
	over insecure connections, especially if your goal is to
	support roaming wireless users.

	Accept inbound email.  Check if the user was authenticated.
	If so, permit relaying; also do rate checks.  If not, don't
	permit relaying, but do run anti-spam software.

	Do virus checks.  If authenticated, notify the sender that
	either their machine is infested with *something* or their
	credentials have been stolen.  If unauthenticated, discard;
	it's probably a joe job.

The point is that authenticated status has to be retained and checked

If you're using 587, the subscriber flow is like this:

	Send a 220

	Don't accept anything until you see STARTTLS

	Don't do anything until you see an AUTH

	Accept inbound mail, do rate checks and virus checks, and
	bounce accordingly

For port 25:

	Send a 220

	Optionally permit (but don't require) STARTTLS

	Accept inbound mail.  Do virus and spam checks, and drop
	as needed.  Don't permit relaying

Both are simpler; neither requires retained global state.