|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: ingress SMTP
Blocking port 25 has become popular, not only with walled-garden connectivity services that are really scared of their customers running their own servers (e.g. most cable modem companies), but also with other ISPs that don't want to deal with the problems of having customers who are spamming (whether deliberate or zombified.) So anybody buying something lower-priced than a T1 typically needs to have a mail client or mail transfer agent that can use other ports, unless they want to trust their ISP's mail service or use webmail. What proportion of an ISP's customers genuinely need the ability to talk to external hosts on 25/tcp? I mean really? We're talking about home users who can use their home ISP SMTP service and it'll meet their needs. Agree that there should be a mechanism to opt out, but smart organisations will offer alternative, authenticated services to address any requirement for direct SMTP (except perhaps for situations where you actually intend to run a mail server at home.) In some sense, anything positive you an accomplish by blocking Port 25 you can also accomplish by leaving the port open and advertising the IP address on one of the dynamic / home broadband / etc. block lists, which leaves recipients free to whitelist or blacklist your users. And you can certainly provide better service to your customers by redirecting Port 25 connections to an SMTP server that returns "550 We block Port 25 - see www.example.net/faq/port25blocking" or some similarly useful message as opposed to just dropping the packets. I concur with the latter, but then again, if it's well publicised and clear from the get-go that external pot 25 is not a service offered, it should be no big deal. I do disagree that advertising the IP on blocklists serves the same purpose, because it pushes responsibility to a third party (ala ISP is waving its hands in the air and saying 'it's not my problem, we're just a means of access to the cloud', and suddenly third party outfits get a whole bunch more clout than is necessary - and noise levels on the internet go up and/or junk volumes go up. (Wonder how much spam the port-25-blockers actually stop?) Would seem easier and a whole bunch more flexible for ISPs to manage their own turf, as it were, third party blocklists are a little on the ugly side. (False Positives are very hard to get dealt with, from experience.) I've toned down my vehemence about the blocking issue a bit - there's enough zombieware out there that I don't object strongly to an ISP that has it blocked by default but makes it easy for humans to enable. Fair enough. I think there's probably agreement on this point, but I would also make the point that the only legitimate reason to enable 25/tcp outbound to external hosts should be to run a mail server. SMTP-Auth for private use, for example, shouldn't be on 25. Mark.
|