Robert E. Seastrom
rs at seastrom.com
Thu Sep 11 07:02:32 CDT 2008
Joel Jaeggli <joelja at bogus.com> writes:
>> Does anyone bother to run an MSA on 587 and *not* require authentication?
> All my normal relay or lack thereof and delivery rules are in place on
> my 587 port. Of course muas's and mtas will also do tls as well as
> authentication over port 25 where available. I don't sea any reason to
> preclude a host that would be allowed to relay via 25 to do so via 587...
> Congruent policy makes administration simpler.
I do not allow relaying (only local delivery and maybe MX but I think
I'm not doing secondary MX for anyone anymore) over port 25 and I do
not allow authentication over port 25 either.
Likewise, I do not allow unauthenticated local delivery on port 587,
demand STARTTLS on port 587, and generally you have to auth to do anything.
The extra effort required to set this up (exim recipes available) pays
dividends by ensuring that people have their MUAs configured properly
at home - otherwise they won't work at all - and helps avoid whiney
long distance phone calls asking for help from some user who's off in
Bonaire or something.
More information about the NANOG