On Mon, Feb 28, 2005 at 05:13:35PM -0500, [EMAIL PROTECTED] wrote: > On Mon, 28 Feb 2005 16:54:23 EST, Nils Ketelsen said: > > An interesting theory. What is the substantial difference? For > > me the security implications of "allowing the user to bypass our > > mailsystem on port 25" and ""allowing the user to bypass our mailsystem on > > port 587" are not as obvious as they maybe are to you. > > The big difference is that if they connect on outbound 25, they're basically > unauthenticated at the other end. Port 587 "should be" authenticated, which > means that the machine making the connection out is presumably a legitimate > user of the destination mail server.
Okay, the main difference seems to be: 1. People here trust, that mailservers on port 587 will have better configurations than mailservers on port 25 have today. I do not share this positive attitude. 2. Port 587 Mailservers only make sense, when other Providers block port 25. My point is: If my ISP blocks any outgoing port, he is no longer an ISP I will buy service from. Therefore I do not need a 587-Mailserver, as I do not use any ISP with Port 25-Blocking for connecting my sites or users. > If you're managing a corporate network, then yes, the distinction isn't > that obvious, as you're restricting your own users. If you're running an > ISP, you're being paid to *connect* people to other places, and making it > more difficult than necessary is.. well... a Randy Bush quote. ;) I agree. Just as I said: If the ISP blocks (and I do not care which port he blocks), then it's time to go and look for another ISP. If I buy Internet I do not want a provider that decides for me which parts of it I am allowed to use today and which I am not. "Wehret den Anfaengen" is the german saying, I currently cannot find a good translation for. Nils