Outgoing SMTP Servers

William Herrin bill at herrin.us
Tue Oct 25 15:46:05 UTC 2011

On Tue, Oct 25, 2011 at 5:49 AM, Owen DeLong <owen at delong.com> wrote:
> On Oct 24, 2011, at 11:13 PM, William Herrin wrote:
>> Blocking outbound TCP SYN packets on port 25 from non-servers is
>> considered a BEST PRACTICE to avoid being the source of snowshoe and
>> botnet spam. Blocking it from legitimate mail servers... does not make
>> sense.
>> The SMTP submission port (TCP 587) is authenticated and should
>> generally not be blocked.
> Interesting... Most people I know run the same policy on 25 and 587 these
> days...


Perhaps you misunderstand the issue. The issue is not relaying mail
through someone else's mail server, it's delivering mail to a mailbox
served by that mail server. 99.99 etc. percent of the time when that's
done directly from a IP address that's supposed to be user PC it's
some form of spam. Hence the best practice within the email community
is to ask the networking community to block those packets outright.
And its why residential ISPs who fail to tend to find their way into
Spamcop, Spamhaus and others. Facilitating that sort of network
filtering is precisely why authenticated SMTP relaying was assigned
port 587 instead of leaving it on port 25.

On Tue, Oct 25, 2011 at 11:28 AM, Carlos Martinez-Cagnazzo
<carlosm3011 at gmail.com> wrote:
> I'm curious how a traveller is supposed to get SMTP relay service
> when, well, travelling. I am not really sure if I want a VPN for
> sending a simple email.

That's what the SMTP submission port (TCP 587) is intended for and
it's why outbound 587 should not be blocked. In fact, blocking 587 can
cause problems with folks who use the Sender Policy Framework to
restrict the servers allowed to pass mail from a particular domain

Bill Herrin

William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

More information about the NANOG mailing list