ingress SMTP

Stephen Sprunk stephen at
Wed Sep 3 12:07:22 CDT 2008

Alec Berry wrote:
> Michael Thomas wrote:
>> But the thing that's really pernicious about this sort of policy is
>> that it's a back door policy for ISP's to clamp down on all outgoing
>> ports in the name of "security".
> I don't think ISPs have anything to gain by randomly blocking ports.  They may block a port that is often used for malicious behavior (135-139, 194, 445, 1433, 3306 come to mind) as a way to reduce their support calls-- but they would have to balance that with the risk of loosing customers. It's not as much a slippery slope as much as it is a tightrope act (yes-- I am metaphorically challenged).

I see nothing wrong with filtering commonly abused ports, provided that 
the ISP allows a user to opt out if they know enough to ask.

When port 25 block was first instituted, several providers actually 
redirected connections to their own servers (with spam filters and/or 
rate limits) rather than blocking the port entirely.  This seems like a 
good compromise for port 25 in particular, provided you have the tools 
available to implement and support it properly.

I also agree with the comments about switching customers to 587.  My 
former monopoly ISP only accepted mail on 25 and I had endless problems 
trying to send mail from airports, hotels, coffee shops, etc. while 
traveling.  The same hotspots also tended to block port 22, so I 
couldn't even forward mail via my own server.  However, my new monopoly 
ISP only accepts mail on 587, and I have yet to have a single problem 
with that from any hotspot I've used since the switch.  Ditto for 
reading my mail via IMAPS/993, whereas I used to have occasional 
problems reading it via IMAP/143.


More information about the NANOG mailing list