Blocking MX query

Suresh Ramasubramanian ops.lists at gmail.com
Wed Sep 5 02:14:54 UTC 2012


This is a bit of a slippery slope.  There is broad agreement that SPs
need to block port 25 outbound (and inbound) on dynamic IP space.

And he did say he's in a country where he's obliged by law to filter
out porn (and I guess anything else his country's government doesn't
like).

Where do blocking MX record lookups fit in between the porn blocking
and the port 25 filtering?  Rather closer to port 25 filtering I'd
say, but your call.

This is not a user privacy issue at all.  Static IP broadband is
entirely available if you should decide you want to run a mailserver
at your home.  And for people using outlook (or postfix) on their
desktop to relay through a smarthost, MX lookups don't matter one way
or the other.

--srs

On Wed, Sep 5, 2012 at 7:30 AM, Mark Andrews <marka at isc.org> wrote:
>
> Well he was looking for software to block the queries.  There is a
> whole mentality that homes don't need X which on closer examination
> just doesn't bear up to scrutany.  This includes blocking SMTP or
> don't you think home users are entitled to have privacy when it
> comes to whom they email?
>
> STARTTLS from anywhere to anywhere is possible today and is not
> vulnerable to interception except in the MX's themselves.  You can
> secure the MX records (and their absense) and secure the CERTs used
> by STARTTLS.



-- 
Suresh Ramasubramanian (ops.lists at gmail.com)




More information about the NANOG mailing list