North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Customer-facing ACLs

  • From: Justin Shore
  • Date: Tue Mar 11 00:18:56 2008

Ang Kah Yik wrote:

However, considering the number of mobile workers out there who send email via their laptops to corporate SMTP servers, won't blocking outbound SMTP affect them?

After all, there are also those who frequently move from place to place so they're going to have to keep changing SMTP servers every time they go to a new place that's on a different ISP.

Thanks for joining the discussion. Frankly I'd be surprised to find many corps with an externally-accessible SMTP server that would accept mail on tcp/25. The only way they'd do it is with SMTP AUTH which (hopefully) implies the use of SMTP TLS as well. I know of very few corps that actually do this. Most of the corps I can think of are either running Exchange and utilizing RPC over HTTP, simply point their users to their company's webmail server, or require that their users VPN back to HQ to access their internal MTA. The sites that I can think of with external user-accessible SMTP daemons are entities with highly technical users. They utilize SMTP AUTH, TLS, and the Mail Submission Port on tcp/587. I'm afraid they are in the minority though.

The MSP port is the best way to get around the blocks with decent MTAs. Your local MTA's support for other non-standard mechanisms for relaying mail from untrusted networks may also help with this problem (RPC over HTTP). Other than that I don't think there's enough demand for outgoing SMTP from the masses to warrant not blocking it. Redirecting generally takes care of that anyway.

Thanks for the input though.  All thoughts are welcome.