Time to check the rate limits on your mail servers
Todd Vierling
tv at duh.org
Thu Feb 3 19:36:30 UTC 2005
On Thu, 3 Feb 2005, Jason Frisvold wrote:
> > > prevents zombies from spamming. Unfortunately, it also blocks
> > > legitimate users from being able to use SMTP AUTH on a remote server..
> >
> > There's a *reason* why RFC2476 specifies port 587....
>
> I assume you're referring to the ability to block port 25 if 587 is
> used for submission. This is great in theory, but if this were the
> case, then the Trojan authors would merely alter their Trojan to use
> port 587.
If they authenticate.
Modulo a stupidity built-in to Sendmail (that Claus Assman ignorantly thinks
is a non-issue[*]), port 587 is not supposed to be used for endpoint MTA
delivery. It's a mail SUBMISSION port, which is supposed to mean that J.
Random Client isn't supposed to use it for delivery purposes.
===
[*] As of now, Sendmail doesn't require one of SMTP AUTH auth by default on
the MSA port; it treats 25 and 587 identically (so that things like
IP-based relay auth work without need for SMTP AUTH).
I sent a m4-only change to the Sendmail maintainers implementing a way
to make 587 allow only relay-authorized clients to send anything at all
by default -- whther IP-based relay auth, or SMTP AUTH, or any other
method built in to the relay-check code path. It was shot down by Claus
because he simply doesn't understand the issue and doesn't think
identical 25 and 587 ports is a threat.
--
-- Todd Vierling <tv at duh.org> <tv at pobox.com>
More information about the NANOG
mailing list