Outgoing SMTP Servers

Robert Drake rdrake at direcpath.com
Wed Oct 26 05:29:58 UTC 2011


On 10/25/2011 11:17 AM, Owen DeLong wrote:
> But that applies to port 25 also, so, I'm not understanding the difference.
>
>> Other people running open port 587s tends to be quite self-correcting.
>>
> At this point, so do open port 25s.

The differences is in intentions from the user.   All SMTP servers are 
supposed to accept incoming email to their domain on port 25, if they 
get a connection from a random IP they can check spf, dkim and dns 
blacklists but that's all they can do to see the reputation of the 
sender.  Blocking port 25 is an ISP based list of who is allowed to send 
SMTP.

Port 587 is supposed to only be used for MUA-MTA communications.  If 
mx.hello.com gets a 587 connection from anyone and they say "mail from: 
<anyone other than hello.com>" the server can drop that as wrong.

Yes it's nasty and dumb, but it works better than spf, DKIM and other 
technology right now.    Maybe spf could be extended into reverse zones 
and who they're permitted to send mail for (too many ISP's don't let 
even business users update reverse records), maybe spf or a protocol 
like it will become required in the future so you know who can be 
trusted when they connect, or reputation or greylisting will take off, 
except for having to store reputation about all IP's and all /64s so the 
database isn't easily maintained.  I think spf with dkim (with caveats 
worked out) would be the best solution but anything that requires a flag 
day with SMTP basically isn't gonna happen.

>
> Owen

Robert





More information about the NANOG mailing list