Outgoing SMTP Servers

Owen DeLong owen at delong.com
Tue Oct 25 16:56:17 CDT 2011


No no no no no. 

The problem with your theory below is that:

1. It is by far best for users to authenticate to send mail. 

2. Your "solution" works only for unencrypted unauthenticated users that ignore the certificate presented by the mail server. 

Put another way, your mechanism rewards those doing the wrong thing while punishing those of us sending our email via encrypted and authenticated mechanisms. 

That's a very bad thing. 

Owen


Sent from my iPhone

On Oct 25, 2011, at 15:03, Mike Jones <mike at mikejones.in> wrote:

> On 25 October 2011 20:52, Alex Harrowell <a.harrowell at gmail.com> wrote:
>> Ricky Beam <jfbeam at gmail.com> wrote:
>> 
>>> Works perfectly even in networks where a VPN doesn't and the idiot
>>> hotel
>>> intercepts port 25 (not blocks, redirects to *their* server.)
>>> 
>>> --Ricky
>> 
>> Why do they do that?
>> 
> 
> My home ISP run an open relay on port 25 with IP-based authentication,
> so I might configure my laptops email client to send email via
> smtp.myisp.com port 25 (many/most? residential ISPs have
> unauthenticated relays, even ISPs that tell you to use authentication
> often have another server next to it that doesn't need authentication
> for customer IP space)
> 
> If the hotel simply blocks port 25 then my email is broken, if they
> allow it then my email is broken (as my ISP doesn't let the hotel
> relay through their mail servers), however if the hotel redirects 25
> to their own open relays then in theory my email should work fine.
> 
> They could always tell people "there is a relay at 10.0.0.25 so you
> can change your settings to use that", however by redirecting all port
> 25 traffic there they are effectively forcibly auto-configuring anyone
> who was already configured to send via an unauthenticated server on
> port 25. They are probably acting under the assumption that the only
> people using 25 are using it for unauthenticated access, I believe
> most servers that do use authentication tell users to use alternate
> ports so this is probably a reasonable assumption.
> 
> Compared to straight blocking of port 25 it's probably better as long
> as the relay it is redirecting you to works properly so you don't have
> to try and diagnose issues - However considering the quality of the
> average hotel network I suspect most of them that are trying to do
> this probably have it set to redirect to a dead server anyway.
> 
> - Mike



More information about the NANOG mailing list