ingress SMTP

Mark Foster blakjak at blakjak.net
Fri Sep 12 22:16:55 CDT 2008


> Blocking port 25 has become popular, not only with
> walled-garden connectivity services that are really scared of their
> customers running their own servers (e.g. most cable modem companies),
> but also with other ISPs that don't want to deal with the problems
> of having customers who are spamming (whether deliberate or zombified.)
> So anybody buying something lower-priced than a T1 typically needs to
> have a mail client or mail transfer agent that can use other ports,
> unless they want to trust their ISP's mail service or use webmail.

What proportion of an ISP's customers genuinely need the ability to talk 
to external hosts on 25/tcp? I mean really?  We're talking about home 
users who can use their home ISP SMTP service and it'll meet their needs.

Agree that there should be a mechanism to opt out, but smart organisations 
will offer alternative, authenticated services to address any requirement 
for direct SMTP (except perhaps for situations where you actually intend 
to run a mail server at home.)


> In some sense, anything positive you an accomplish by blocking Port 25
> you can also accomplish by leaving the port open and advertising the IP
> address
> on one of the dynamic / home broadband / etc. block lists,
> which leaves recipients free to whitelist or blacklist your users.
> And you can certainly provide better service to your customers by
> redirecting Port 25 connections to an SMTP server that returns
> "550 We block Port 25 - see www.example.net/faq/port25blocking"
> or some similarly useful message as opposed to just dropping the packets.

I concur with the latter, but then again, if it's well publicised and 
clear from the get-go that external pot 25 is not a service offered, it 
should be no big deal.
I do disagree that advertising the IP on blocklists serves the same 
purpose, because it pushes responsibility to a third party (ala ISP is 
waving its hands in the air and saying 'it's not my problem, we're just a 
means of access to the cloud', and suddenly third party outfits get a 
whole bunch more clout than is necessary - and noise levels on the 
internet go up and/or junk volumes go up.

(Wonder how much spam the port-25-blockers actually stop?)

Would seem easier and a whole bunch more flexible for ISPs to manage their 
own turf, as it were, third party blocklists are a little on the ugly 
side. (False Positives are very hard to get dealt with, from experience.)

> I've toned down my vehemence about the blocking issue a bit -
> there's enough zombieware out there that I don't object strongly to an ISP
> that has it blocked by default  but makes it easy for humans to enable.

Fair enough. I think there's probably agreement on this point, but I would 
also make the point that the only legitimate reason to enable 25/tcp 
outbound to external hosts should be to run a mail server.  SMTP-Auth for 
private use, for example, shouldn't be on 25.

Mark.




More information about the NANOG mailing list