blakjak at blakjak.net
Fri Sep 12 22:16:55 CDT 2008
> Blocking port 25 has become popular, not only with
> walled-garden connectivity services that are really scared of their
> customers running their own servers (e.g. most cable modem companies),
> but also with other ISPs that don't want to deal with the problems
> of having customers who are spamming (whether deliberate or zombified.)
> So anybody buying something lower-priced than a T1 typically needs to
> have a mail client or mail transfer agent that can use other ports,
> unless they want to trust their ISP's mail service or use webmail.
What proportion of an ISP's customers genuinely need the ability to talk
to external hosts on 25/tcp? I mean really? We're talking about home
users who can use their home ISP SMTP service and it'll meet their needs.
Agree that there should be a mechanism to opt out, but smart organisations
will offer alternative, authenticated services to address any requirement
for direct SMTP (except perhaps for situations where you actually intend
to run a mail server at home.)
> In some sense, anything positive you an accomplish by blocking Port 25
> you can also accomplish by leaving the port open and advertising the IP
> on one of the dynamic / home broadband / etc. block lists,
> which leaves recipients free to whitelist or blacklist your users.
> And you can certainly provide better service to your customers by
> redirecting Port 25 connections to an SMTP server that returns
> "550 We block Port 25 - see www.example.net/faq/port25blocking"
> or some similarly useful message as opposed to just dropping the packets.
I concur with the latter, but then again, if it's well publicised and
clear from the get-go that external pot 25 is not a service offered, it
should be no big deal.
I do disagree that advertising the IP on blocklists serves the same
purpose, because it pushes responsibility to a third party (ala ISP is
waving its hands in the air and saying 'it's not my problem, we're just a
means of access to the cloud', and suddenly third party outfits get a
whole bunch more clout than is necessary - and noise levels on the
internet go up and/or junk volumes go up.
(Wonder how much spam the port-25-blockers actually stop?)
Would seem easier and a whole bunch more flexible for ISPs to manage their
own turf, as it were, third party blocklists are a little on the ugly
side. (False Positives are very hard to get dealt with, from experience.)
> I've toned down my vehemence about the blocking issue a bit -
> there's enough zombieware out there that I don't object strongly to an ISP
> that has it blocked by default but makes it easy for humans to enable.
Fair enough. I think there's probably agreement on this point, but I would
also make the point that the only legitimate reason to enable 25/tcp
outbound to external hosts should be to run a mail server. SMTP-Auth for
private use, for example, shouldn't be on 25.
More information about the NANOG