Why do so few mail providers support Port 587?

• Previous message (by thread): Why do so few mail providers support Port 587?
• Next message (by thread): Why do so few mail providers support Port 587?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--On Wednesday, February 16, 2005 2:16 +0000 Thor Lancelot Simon 
<tls at netbsd.org> wrote:

>
> On Tue, Feb 15, 2005 at 09:00:11PM -0500, Sean Donelan wrote:
>>
>> Sendmail now includes Port 587, although some people disagree how
>> its done.  But Exchange and other mail servers are still difficult
>> for system administrators to configure Port 587 (if it doesn't say
>> click here for Port 587 during the Windows installer, its too
>> complicated).
>
> This is utterly silly.  Running another full-access copy of the MTA
> on a different port than 25 achieves precisely nothing -- and this
> "support" has always been included in sendmail, with a 1-line change
> either to the source code (long ago) or the default configuration or
> simply by running sendmail from inetd.
>
> What benefit, exactly, do you see to allowing unauthenticated mail
> submission on a different port than the default SMTP port?
>
The whole point of port 587 is that it should _NOT_ allow unauthenticated
submission, where, port 25 generally MUST allow unauthenticated submission
for at least some categories of destination addresses.  If port 25 only
gets used for MTA to MTA communications and port 587 can be used for
CLIENT->MTA submissions on an authenticated only basis, there is some
advantage to it.  Admittedly, port 587 would be unnecessary if ISPs weren't
blocking port 25, but, since they are, it is.  Likely, if people started
requiring SMTP AUTH often enough on port 25 for relay access, the port 25
blocks could be eliminated and port 587 could fade away.  However, in the
meantime, port 687 is a reasonable solution to the real world situation.


> Similarly, what harm, exactly, do you see to allowing authenticated
> mail submission on port 25?
>
None.  However, it's very hard to control at the router level whether
your thousands of DSL users are making authenticated submission or
non-authenticated submission to far-end mail servers.  By blocking
port 25 and knowing that almost anyone using 587 is probably recently
enough up on RFCs to know not to allow unauthenticated submission,
this becomes a reasonable compromise.  Everyone requiring auth on
port 25 for relay submission would be a better solution, but, is also
an unrealistic view of the world.

> What will actually give us some progress on spam and on usability
> issues is requiring authentication for mail submission.  Which TCP
> port is used for the service matters basically not at all.
>
Yep, but, if we block virus->25 and support auth->587, then, we aren't
allowing virus->25 by accident in the current environment.

Owen


-- 
If this message was not signed with gpg key 0FE2AA3D, it's probably
a forgery.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20050216/24163d3a/attachment.sig>

• Previous message (by thread): Why do so few mail providers support Port 587?
• Next message (by thread): Why do so few mail providers support Port 587?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]