Outgoing SMTP Servers

Matt McBride mmcbride at westhost.com
Tue Oct 25 17:27:45 UTC 2011

We use Mailchannels to route all outbound mail through it, which does a decent job of keeping garbage off the Internet and SBLs/RBLs clean. It is dependent on PBR so there is overhead to manage it but the product runs on our own hardware.


-----Original Message-----
From: Owen DeLong [mailto:owen at delong.com] 
Sent: Tuesday, October 25, 2011 10:56 AM
To: William Herrin
Cc: nanog at nanog.org
Subject: Re: Outgoing SMTP Servers

On Oct 25, 2011, at 8:46 AM, William Herrin wrote:

> On Tue, Oct 25, 2011 at 5:49 AM, Owen DeLong <owen at delong.com> wrote:
>> On Oct 24, 2011, at 11:13 PM, William Herrin wrote:
>>> Blocking outbound TCP SYN packets on port 25 from non-servers is
>>> considered a BEST PRACTICE to avoid being the source of snowshoe and
>>> botnet spam. Blocking it from legitimate mail servers... does not make
>>> sense.
>>> The SMTP submission port (TCP 587) is authenticated and should
>>> generally not be blocked.
>> Interesting... Most people I know run the same policy on 25 and 587 these
>> days...
> Owen,
> Perhaps you misunderstand the issue. The issue is not relaying mail
> through someone else's mail server, it's delivering mail to a mailbox
> served by that mail server. 99.99 etc. percent of the time when that's
> done directly from a IP address that's supposed to be user PC it's
> some form of spam. Hence the best practice within the email community
> is to ask the networking community to block those packets outright.
> And its why residential ISPs who fail to tend to find their way into
> Spamcop, Spamhaus and others. Facilitating that sort of network
> filtering is precisely why authenticated SMTP relaying was assigned
> port 587 instead of leaving it on port 25.

Wouldn't the right place for that form of rejection to occur be at the
mail server in question?

Precluding users doing legitimate things just because there are users
who do illegitimate things is damaging to the internet and I will continue
to route around it.

I reject lots of residential connections to my port 25 services every day.
However, senders who authenticate legitimately or legitimate sources
of email (and yes, some spam sources too) connect just fine.

> On Tue, Oct 25, 2011 at 11:28 AM, Carlos Martinez-Cagnazzo
> <carlosm3011 at gmail.com> wrote:
>> I'm curious how a traveller is supposed to get SMTP relay service
>> when, well, travelling. I am not really sure if I want a VPN for
>> sending a simple email.
> That's what the SMTP submission port (TCP 587) is intended for and
> it's why outbound 587 should not be blocked. In fact, blocking 587 can
> cause problems with folks who use the Sender Policy Framework to
> restrict the servers allowed to pass mail from a particular domain
> outward.

So the spammers move to 587 and problem solved.


More information about the NANOG mailing list