Outgoing SMTP Servers

Brian Johnson bjohnson at drtel.com
Mon Oct 31 13:23:04 UTC 2011


Responses in-line...

>-----Original Message-----
>From: Bill Stewart [mailto:nonobvious at gmail.com]
>Sent: Friday, October 28, 2011 6:22 PM
>To: nanog at nanog.org
>Cc: Brian Johnson
>Subject: Re: Outgoing SMTP Servers


>I've got a strong preference for ISPs to run a
>Block-25-by-default/Enable-when-asked.  As a purist, I'd prefer to
>have Internet connections that are actually Internet connections, and
>if you want to run email on a Linux box at home or have an Arduino in
>your refrigerator email the grocery when you're out of milk, you
>should be able to, and if some meddling kid at an ISP wants to block
>it, they should get off your lawn.  In practice, of course, somewhere
>between 99.9% and 99.999% of all home MTAs aren't Linux boxes or Macs,
>they're zombie spambots on home PCs, or occasional driveby wifi
>spammers or other pests, and not only should outgoing mail be blocked,
>but the user should be notified and the connection should probably be
>put into some kind of quarantined access.

This is, of course, exactly why this blocking is done.

>But that's for Port 25 - the Port 25 blocking by ISPs has largely
>pushed Email Service Providers to use other protocols such as 587 for
>mail submission from an MUA to the MTA, or webmail instead, and it's
>really bad practice for ISPs to interfere with that.  In some cases
>they'll still be sending spam, but that's the MTA's job to filter out,
>and if they don't, they'll end up on a bunch of RBLs.  (And generally
>they'll be trying to keep their mail clean themselves - if the MTA
>providers were spammers, they wouldn't need to go to the trouble of
>having actual residential users as customers when they could
>mass-produce it cheaper directly.)

For clarity it's really bad for ISPs to block ports other than 25 for the purposes of mail flow control... correct?

I would not block submission ports, specifically 587. More specifically, the only port I will block would be 25. The RFC actually says to use the submission port  for the MUA to MTA anyways. RFC 5068 is definitive on this issue. Also read RFC 4409 and its predecessors.

My take on this is that it IS best practice to have users use the submission port (587) for mail submission from the MUA to an MTA.

Call me a liar! :) 

- Brian

More information about the NANOG mailing list