Outgoing SMTP Servers
leigh.porter at ukbroadband.com
Wed Oct 26 22:43:56 UTC 2011
On 26 Oct 2011, at 23:13, "Mark Andrews" <marka at isc.org> wrote:
> In message <op.v3y8xvo6tfhldh at rbeam.xactional.com>, "Ricky Beam" writes:
>> On Tue, 25 Oct 2011 15:52:46 -0400, Alex Harrowell <a.harrowell at gmail.com>
>>> Why do they do that?
>> You'd have to ask them. Or more accurately, you'd need to ask their
>> system integrator -- I've never seen an "in house" network run like that.
>> (and for the record, they were charging for that shitty network access.)
>> Bottom line: Blocking port 25 (smtp) is undesirable, but necessary for a
>> modern consumer internet. (Translation: It f'ing works.) This is the ISP
>> saying, "You aren't a mail *server*."
> MTA == Mail Transfer Agent. You don't have to be a *server* to be
> a MTA. Blocking SMTP also prevents your customers running encrypted
> mail sessions to prevent nosy ISP's and others looking at what they
> are sending. With DNSSEC now being deployed and DANE being
> standardised, running a SMTP session with STARTTLS is being a
This is what I used to do.
Any outgoing port 25 was sunk into a pool of SMTP proxies that I wrote. These proxies would look for signs of authentication and if they found them, the session would be proxied to the original destination SMTP server from the same IP address of the originating host.
Anything else was proxied to the pool of Ironports which would rate limit and otherwise SPAM examine the mail.
That way people using authenticated servers would be allowed through on the assumption that in all likelihood they were OK. Others who do not auth or are SPAM bots would be scrubbed and rate limited quite severely.
Our own customers were encouraged to use our outbound SMTP hosts which would either authenticate them if external or just allow them if internal, but with the SPAM scrubbing and less severe rate limiting enabled,
Customers who need a higher volume of outbound mail can call us and authenticate to the SMTP servers and we can set them a bespoke profile for rate limiting and message size etc etc.
That worked rather well because people's email got out and SPAM was largely stopped.
The Ironports were darn good boxes if a little pricey,
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
More information about the NANOG