ingress SMTP

Tony Finch dot at dotat.at
Thu Sep 4 08:27:56 CDT 2008


On Wed, 3 Sep 2008, Keith Medcalf wrote:
>
> Why would the requirements for authentication be different depending on
> the port used to connect to the MTA?

It's easier to configure the MTA if you make a distinction between
server-to-server traffic and client-to-server traffic. In fact my systems
distinguish three classes of traffic: MX, message submission, and
smarthost.

The MX service has lots of anti-spam features. You want to separate it
from the others so that techniques like teergrubing don't make message
submission painfully slow. You can also avoid interoperability problems
with server-to-server TLS. You can limit the number of connections used by
the MX service to that when it is being hammered by spammers, you can
reserve some capacity so that message submission and outgoing relay still
work.

Having a message submission service that always requires TLS and
authentication makes it easier for users to check their configuration. A
mistake such as not turning on AUTH can be hidden when they test on their
home network, only to be discovered later when they are roaming far from
tech support.

Separating your smarthost (outgoing relay service) from your MX can avoid
some strange problems. Back in the dim and distant past before remote
AUTHed message submission and before separate MX and smarthost, our
roaming users who failed to change their smarthost setting would have
working email when contacting colleagues but not anyone else, with a
mysterious "relaying is not permitted" error instead of something clear
and helpful. There's also some advantage to making it harder for spammers
to work out the name of your smarthost: we once (years ago) had a
problem with an open web proxy that spammers used as the first half of a
two-stage open relay, the second half of which was the MX of the proxy's
parent domain.

We separate these functions by having separate names and IP addresses for
each one. They are all just facets of the same MTA, so we don't have to
maintainn lots of different configurations.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
LUNDY FASTNET IRISH SEA: WESTERLY OR SOUTHWESTERLY 4 OR 5, BECOMING CYCLONIC
OR NORTHEASTERLY 5 TO 7, PERHAPS GALE 8 LATER. ROUGH OR VERY ROUGH. RAIN OR
SHOWERS. MODERATE OR GOOD, OCCASIONALLY POOR.




More information about the NANOG mailing list