ingress SMTP

Mark Foster blakjak at
Wed Sep 3 21:01:48 CDT 2008

>> On Wed, Sep 03, 2008 at 12:58:53PM -0400, Nicholas Suan wrote:
>> > On Sep 3, 2008, at 12:49 PM, Jay R. Ashworth wrote:
>> > >You're forgetting that 587 *is authenticated, always*.
>> > I'm not sure how that makes much of a difference since the
>> > usual spam vector is malware that has (almost) complete
>> > control of the machine in the first place.
>> Well, that depends on MUA design, of course, but it's just
>> been pointed out to me that the RFC says MAY, not MUST.
>> Oops.
>> Does anyone bother to run an MSA on 587 and *not* require
>> authentication?
> Raises hand.
> Why would the requirements for authentication be different depending on
> the port used to connect to the MTA?
> No matter how a session comes into the MTA (port 25, 465, 587, anything
> else) and no matter whether it is encrypted or not, the requirement for
> authentication (which is always available and advertized), is based on a
> simple policy:
>  - local delivery originating from a non-blacklisted or
> "internal/customer" address does not require authentication;
>  - relay from "internal/customer" IP Addresses does not require
> authentication;
>  - any connection from a blacklisted IP requires authentication or no mail
> will be accepted;
>  - relay from "external/non-customer" IP Addresses requires
> authentication;
> Is there a valid reason why a different configuration is justified?
> As an aside, outbound port 25 traffic is also blocked except from the MTA.

I'm glad someone finally posted the above.

When I came 'up through the ranks' the policy could be explained simply,
by separating POP3 and SMTP.  The following is the users-perspective
explanation I used to offer:

- Mail from World to Client is checked via user/password check (POP3 in
your mail client).  Because its authenticated, it can be done from
anywhere - subject to your ISPs policies on the subject.

- Mail from Client to World is not authenticated (generally speaking) but
what is checked is where you are.  The rules:

- Mail from ISP-IP to ISP-SMTP-SERVER is accepted regardless of destination.
- Mail from anywhere else to ISP-SMTP-SERVER is accepted only if the
destination is 'local' to the ISP.
- There's no reason to do anything else as a general rule.

Privately managed outbound mail solutions (such as a colo, or a corporate
network, which subjects you to some other sort of validation before
accepting your message) should be 'accountable' and in order to circumvent
Port 25 blocking, should be found on other ports anyway. Port 25 traffic
should be subject to the above.

(I realise this doesnt account for SMTP-Auth.  The reality today is that
ISPs are blocking Port 25 to reduce spam from drones and that people
should be prepared to work around this.)

So in terms of the OP,
I don't see why joe-user on a dynamic-IP home connection should need the
ability to use port 25 to talk to anywhere but their local ISP SMTP server
on a normal basis[1]. Theyre not doing MX lookups so theyre not going
direct to remote MTAs[2].  Regardless of where they got the mail _from_,
the outbound mail should be via SMTP to their local SMTP server.[3]

If you separate inbound (pop3) and outbound (smtp) mail delivery in your
thinking you can start to make sense of things (from a users perspective).
This is always the tack i've taken when trying to educate users about why
their email outbound doesn't work when theyre moving from ISP to ISP.
(At which point you offer them your authenticated-another-way service,
such as 587 with SMTP auth).

[1] Customers with a specific need to do so should have the means to
opt-out. I believe most of the ISPs in NZ who block 25-outbound from
clients also offer this option.

[2] Customers doing MX lookups are either drones or people with mail
servers at home. The former are obviously the target of the block. The
latter are likely going to be any one of:

- Blocked by SORBS or similar as a dynamic IP
- Running a mail server in breach of AUP
- On a fixed IP and (theoretically) capable of securing their system and
not being a drone or open mail relay (and being traceable via their ISP).

[3] Note also [2].  Outbound mail is associated with your ISP and their
SMTP service. Has nothing to do with inbound mail.  Nothing. Nada. Zip.

Or doesn't the rest of the world think like this?


PS: It occurs to me that SPF has an influence here, if you're aggressively
using it then you should also be offering alternatives to Port 25 SMTP.

More information about the NANOG mailing list