Outgoing SMTP Servers
owen at delong.com
Tue Oct 25 04:49:19 CDT 2011
On Oct 24, 2011, at 11:13 PM, William Herrin wrote:
> On Tue, Oct 25, 2011 at 12:29 AM, Dennis Burgess
> <dmburgess at linktechs.net> wrote:
>> I am curious about what network operators are doing with outbound SMTP
>> traffic. In the past few weeks we have ran into over 10 providers,
>> mostly local providers, which block outbound SMTP and require the users
>> to go THOUGH their mail servers even though those servers are not
>> responsible for the domains in question! I know other mail servers are
>> blocking non-reversible mail, however, is this common? And more
>> importantly, is this an acceptable practice?
> Hi Dennis,
> Blocking outbound TCP SYN packets on port 25 from non-servers is
> considered a BEST PRACTICE to avoid being the source of snowshoe and
> botnet spam. Blocking it from legitimate mail servers... does not make
> The SMTP submission port (TCP 587) is authenticated and should
> generally not be blocked.
Interesting... Most people I know run the same policy on 25 and 587 these
to-local-domain, no auth needed.
relay, auth needed.
auth required == TLS required.
Anything else on either port seems not best practice to me.
Due to the absurd things I've seen done in the world, I actually
run that policy on 5 ports:
25, 587 as you would expect.
465 SSL rather than STARTTLS, but, otherwise identical
80 because it works when nothing else does.
443 because sometimes Deep Packet Inspection is a PITA.
Of course, using 80 and 443 requires the use of additional IP address
resources for those servers rather than being able to also run a web
server on the same address, but, this is the consequence of replacing
an internet with 64K ports with filters that force the entire internet to
operate all services on TCP/80.
With this combination, I have not encountered a hotel, airport lounge, or
other poorly run environment from which I cannot send mail through my
home server from my laptop/ipad/iphone/etc.
More information about the NANOG