Re: Why do so few mail providers support Port 587?
Date: Mon, 28 Feb 2005 16:54:23 -0500 From: Nils Ketelsen [EMAIL PROTECTED] To: nanog@merit.edu Subject: Re: Why do so few mail providers support Port 587? [ ... ] I do not know about your E-Mail Policy, but normally it is either allowed to use an external mailserver or not. If it is allowed, I can as well allow Port 25 outgoing. If it is not I will block 25 and 587. Our corporate policy is that if you want to send mail with a @ourdomain address, you have to use our mailserver. On that machine we can rewrite usernames etc. But I have lots of users who also work at other places - to give you a hint, many of my users are researchers over here, but teachers at different places. So it's *not* in my employers best interest to disallow them *any* means of mailing with a @non-ourdomain address if that @non-ourdomain site allows them to do so via some other means then port 25... Port 587 on the other hand is meant for submission by clients. The security implications of allowing my users to contact such a port are very very low. If someone won't secure his mailserver on port 587, that's something different, but substantially different than if it were insecure on port 25... An interesting theory. What is the substantial difference? For me the security implications of allowing the user to bypass our mailsystem on port 25 and allowing the user to bypass our mailsystem on port 587 are not as obvious as they maybe are to you. Anything listening on port 587 - as has been said many times over in this discussion - should not blindly relay. It should demand authentication from the user and only when those are satisfactory relay. That was and is what port 587 is meant for. Port 25 has a much too diverse role in the way mail delivery is handled. But you can generally classify that it's used for inter-site communications and intra-site submission. Port 587 is for submissium, intra-site and extra-site. Just because you only allow port 80 inbound to the machines which are supposed to be running webservers doesn't mean you only allow outbound port 80 traffic to those same machines ? You would allow outbound port 80 traffic to the whole world... Nils Regards, JP Velders
Re: Why do so few mail providers support Port 587?
On Mon, Feb 28, 2005 at 05:13:35PM -0500, [EMAIL PROTECTED] wrote: On Mon, 28 Feb 2005 16:54:23 EST, Nils Ketelsen said: An interesting theory. What is the substantial difference? For me the security implications of allowing the user to bypass our mailsystem on port 25 and allowing the user to bypass our mailsystem on port 587 are not as obvious as they maybe are to you. The big difference is that if they connect on outbound 25, they're basically unauthenticated at the other end. Port 587 should be authenticated, which means that the machine making the connection out is presumably a legitimate user of the destination mail server. Okay, the main difference seems to be: 1. People here trust, that mailservers on port 587 will have better configurations than mailservers on port 25 have today. I do not share this positive attitude. 2. Port 587 Mailservers only make sense, when other Providers block port 25. My point is: If my ISP blocks any outgoing port, he is no longer an ISP I will buy service from. Therefore I do not need a 587-Mailserver, as I do not use any ISP with Port 25-Blocking for connecting my sites or users. If you're managing a corporate network, then yes, the distinction isn't that obvious, as you're restricting your own users. If you're running an ISP, you're being paid to *connect* people to other places, and making it more difficult than necessary is.. well... a Randy Bush quote. ;) I agree. Just as I said: If the ISP blocks (and I do not care which port he blocks), then it's time to go and look for another ISP. If I buy Internet I do not want a provider that decides for me which parts of it I am allowed to use today and which I am not. Wehret den Anfaengen is the german saying, I currently cannot find a good translation for. Nils
Re: Why do so few mail providers support Port 587?
On Tue, Mar 01, 2005 at 09:18:19AM -0500, Nils Ketelsen wrote: 2. Port 587 Mailservers only make sense, when other Providers block port 25. My point is: If my ISP blocks any outgoing port, he is no longer an ISP I will buy service from. Therefore I do not need a 587-Mailserver, as I do not use any ISP with Port 25-Blocking for connecting my sites or users. Here in Belgium, the two biggest end-user (broadband) ISPs block tcp/25. Are you going to tell your users: sorry, you should have taken another another access isp, take one of the very few ones left that don't block? Kind Regards, Frank Louwers -- Openminds bvbawww.openminds.be Tweebruggenstraat 16 - 9000 Gent - Belgium
Re: Why do so few mail providers support Port 587?
On Tue, Mar 01, 2005 at 03:25:39PM +0100, Frank Louwers wrote: On Tue, Mar 01, 2005 at 09:18:19AM -0500, Nils Ketelsen wrote: 2. Port 587 Mailservers only make sense, when other Providers block port 25. My point is: If my ISP blocks any outgoing port, he is no longer an ISP I will buy service from. Therefore I do not need a 587-Mailserver, as I do not use any ISP with Port 25-Blocking for connecting my sites or users. Here in Belgium, the two biggest end-user (broadband) ISPs block tcp/25. Are you going to tell your users: sorry, you should have taken another another access isp, take one of the very few ones left that don't block? I am in the lucky situation, where I decide, which providers my users get. Nils
Re: Why do so few mail providers support Port 587?
On Tue, 01 Mar 2005 09:18:19 EST, Nils Ketelsen said: 2. Port 587 Mailservers only make sense, when other Providers block port 25. My point is: If my ISP blocks any outgoing port, he is no longer an ISP I will buy service from. That's not when you need a port 587 server... Therefore I do not need a 587-Mailserver, as I do not use any ISP with Port 25-Blocking for connecting my sites or users. Port 587 is for when you take your laptop along to visit your grandparents, and they have cablemodem from an ISP that blocks port 25. Now which do you do: 1) Whine at your grandparents about their choice of ISP? 2) Not send the mail you needed to send? 3) Make a long-distance (possibly international-rates) call to your ISP's dialup pool? 4) Send it back to your own ISP's 587 server and be happy? (Hint - there's probably a good-sized niche market in offering business-class mailhosting for people stuck behind port-25 blocks - they submit via 587/STARTTLS and retrieve via POP/IMAP over SSL). pgpxsNoXNRLZd.pgp Description: PGP signature
Re: Why do so few mail providers support Port 587?
On Tue, 1 Mar 2005 09:18:19 -0500, Nils Ketelsen [EMAIL PROTECTED] wrote: Okay, the main difference seems to be: 1. People here trust, that mailservers on port 587 will have better configurations than mailservers on port 25 have today. I do not share this positive attitude. I think you're right here.. There are a number of us who will endeavor to do it the right way, and then there are others who will either not have the technical know-how, or just plain don't care.. 2. Port 587 Mailservers only make sense, when other Providers block port 25. My point is: If my ISP blocks any outgoing port, he is no longer an ISP I will buy service from. Therefore I do not need a 587-Mailserver, as I do not use any ISP with Port 25-Blocking for connecting my sites or users. For a commercial service, I agree. Commercial users are deemed more intelligent and should have the capability to set up services in a more secure manner. Residential users, however, are the general problem. Your average Joe User has no idea how email works other than merely clicking the send button and having the email appear magically at the other end. Most users don't have spyware or virus checkers either. All of this leads to a large group of general users who can be exploited and abused at-will. As an ISP, I find it necessary to block certain ports. I block port 25 outbound from my residential customers to prevent direct-to-mx spamming. Currently they can only use port 25 on my mailserver, but that will eventually change to only port 587 and port 25 will be completely blocked. I also block netbios and other similar services which were never intended as WAN protocols in the first place. And I haven't had a single complaint from any of my residential customers. I'm fairly confident that they're mostly unaware of these blocks even though they were announced in advance.. I agree. Just as I said: If the ISP blocks (and I do not care which port he blocks), then it's time to go and look for another ISP. If I buy Internet I do not want a provider that decides for me which parts of it I am allowed to use today and which I am not. You would be one of the smarter Joe Users who can handle the day-to-day nasties on the internet. Unfortunately, you're the minority... I wouldn't mind having an alternate service, with no change in pricing, that would allow users like you to have the freedom they want. In fact, if I had any demand for it at all, I'd set something up in a heartbeat. Wehret den Anfaengen is the german saying, I currently cannot find a good translation for. Nils -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
Re: Why do so few mail providers support Port 587?
On Tue, 01 Mar 2005 09:36:35 EST, Nils Ketelsen said: I am in the lucky situation, where I decide, which providers my users get. Even when they're travelling? That's quite the Big-Brother operation you have ;) pgpkWGlqiZzuB.pgp Description: PGP signature
Re: Why do so few mail providers support Port 587?
Speaking on Deep Background, the Press Secretary whispered: Okay, the main difference seems to be: 1. People here trust, that mailservers on port 587 will have better configurations than mailservers on port 25 have today. I do not share this positive attitude. Well, is authenticated SMTP 587 going to be worse than open port 25? I doubt it, but... In fact, I think most folks will do way better. Call that blind faith in the inhabitants of Middle Earth ^H^H^H NANOG 2. Port 587 Mailservers only make sense, when other Providers block port 25. My point is: If my ISP blocks any outgoing port, he is no longer an ISP I will buy service from. Therefore I do not need a 587-Mailserver, as I do not use any ISP with Port 25-Blocking for connecting my sites or users. So you will choose hotels, conferences, etc, by whether or not they block 25? And coming soon.. airlines! That's right: aisle seat, low-sodium meal and NO port 25 blocking... I do well to find out if the above has access at all, esp. if dealing through a reseller [hotels.com, etc]. -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: Why do so few mail providers support Port 587?
On Tue, 1 Mar 2005 [EMAIL PROTECTED] wrote: On Tue, 01 Mar 2005 09:18:19 EST, Nils Ketelsen said: 2. Port 587 Mailservers only make sense, when other Providers block port 25. My point is: If my ISP blocks any outgoing port, he is no longer an ISP I will buy service from. That's not when you need a port 587 server... Therefore I do not need a 587-Mailserver, as I do not use any ISP with Port 25-Blocking for connecting my sites or users. Port 587 is for when you take your laptop along to visit your grandparents, and they have cablemodem from an ISP that blocks port 25. Now which do you do: 1) Whine at your grandparents about their choice of ISP? 2) Not send the mail you needed to send? 3) Make a long-distance (possibly international-rates) call to your ISP's dialup pool? 4) Send it back to your own ISP's 587 server and be happy? E) Log into the webmail service my ISP provides. Opening another port can too easily turn into a whack-a-mole game between you, the spammers and ISPs. There are myriad ways to allow roaming/emergency E-mail activities. Let's not get pigeon-holed here. Finally, after a week or so of reading this thread, I'm inclined to believe it's officially a holy war. Nobody's changing anybody's minds here it seems. It's two stationary camps arguing. Can it stop now? --Gar (Hint - there's probably a good-sized niche market in offering business-class mailhosting for people stuck behind port-25 blocks - they submit via 587/STARTTLS and retrieve via POP/IMAP over SSL).
Re: Why do so few mail providers support Port 587?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nils Ketelsen wrote: On Mon, Feb 28, 2005 at 05:13:35PM -0500, [EMAIL PROTECTED] wrote: On Mon, 28 Feb 2005 16:54:23 EST, Nils Ketelsen said: An interesting theory. What is the substantial difference? For me the security implications of allowing the user to bypass our mailsystem on port 25 and allowing the user to bypass our mailsystem on port 587 are not as obvious as they maybe are to you. The big difference is that if they connect on outbound 25, they're basically unauthenticated at the other end. Port 587 should be authenticated, which means that the machine making the connection out is presumably a legitimate user of the destination mail server. Okay, the main difference seems to be: 1. People here trust, that mailservers on port 587 will have better configurations than mailservers on port 25 have today. I do not share this positive attitude. I truly hope this isn't the case, I don't trust any mail server that I didn't personally configure. 2. Port 587 Mailservers only make sense, when other Providers block port 25. My point is: If my ISP blocks any outgoing port, he is no longer an ISP I will buy service from. Therefore I do not need a 587-Mailserver, as I do not use any ISP with Port 25-Blocking for connecting my sites or users. Yes, right up until a) ISPs wise up and start blocking port 587, and then 465 for good measure. or b) malware authors wise up. B will happen sooner. Chris - -- Chris Horry KG4TSM You're original, with your own path [EMAIL PROTECTED] You're original, got your own way PGP: DSA/2B4C654E-- Leftfield -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCJM9FnAAeGCtMZU4RAvsFAKC5SvTVLS2VffMq2rcp7ZZZt4IGVwCgqbHO 2mSmy8GWV+l3xEzFsBBXp1o= =0wKT -END PGP SIGNATURE-
Re: Why do so few mail providers support Port 587?
Chris Horry wrote: Yes, right up until a) ISPs wise up and start blocking port 587, and then 465 for good measure. or b) malware authors wise up. B will happen sooner. I completely agree, which is why if alternative SMTP injection ports are being used, some measure of authentication be used to authorize (or, in case of abuse, block) access. It isn't the magic bullet, and won't work forever, but in regards to the mail systems I maintain, it will do for now. -- Stephen Fulton.
Re: Why do so few mail providers support Port 587?
Speaking on Deep Background, the Press Secretary whispered: Yes, right up until a) ISPs wise up and start blocking port 587, and then 465 for good measure. or b) malware authors wise up. B will happen sooner. Chris Well, I'm no player in this league and ask... Why will ISP's wise up and block 587? If 587 is always auth'ed; then there will be no spam splashback provoking calls to block it. (Individual customers may get zombied; but that's easy to track and treat...) If a provider runs an open 587 port, and thus gets used as spam source; they will soon meet Mr. Linford and/or Mr. SPEWS. In either case, why will the clued ISP's want to block 587? -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: Why do so few mail providers support Port 587?
On Tue, 2005-03-01 at 15:55 -0500, David Lesher wrote: In either case, why will the clued ISP's want to block 587? It's not the clueful ISPs that you need worry about. -Jim P.
Re: Why do so few mail providers support Port 587?
On 03/01/05, David Lesher [EMAIL PROTECTED] wrote: Well, I'm no player in this league and ask... Why will ISP's wise up and block 587? If 587 is always auth'ed; then there will be no spam splashback provoking calls to block it. (Individual customers may get zombied; but that's easy to track and treat...) If a provider runs an open 587 port, and thus gets used as spam source; they will soon meet Mr. Linford and/or Mr. SPEWS. In either case, why will the clued ISP's want to block 587? I think the anti-587 logic here seems to be that we (we being the Internet community at large) shouldn't encourage anyone to ever act more responsibly than the worst operator because that worst operator will continue to be irresponsible. (I am only translating, not agreeing.) In any case, nobody has expressed any new ideas around this topic for about a week, so I'd suggest we let it drop before somebody mis-represents Godwin's Law. -- J.D. Falk uncertainty is only a virtue [EMAIL PROTECTED]when you don't know the answer yet
Re: Why do so few mail providers support Port 587?
J.D. Falk wrote: On 03/01/05, David Lesher [EMAIL PROTECTED] wrote: Well, I'm no player in this league and ask... Why will ISP's wise up and block 587? If 587 is always auth'ed; then there will be no spam splashback provoking calls to block it. (Individual customers may get zombied; but that's easy to track and treat...) Exactly. If a provider runs an open 587 port, and thus gets used as spam source; they will soon meet Mr. Linford and/or Mr. SPEWS. Ditto. In either case, why will the clued ISP's want to block 587? It makes no sense for clued ISPs to block 587. That 587 should be provisioned for unauthorized connections, or that clued ISPs should block 587 are both suggestions that make no sense. I think the anti-587 logic here seems to be that we (we being the Internet community at large) shouldn't encourage anyone to ever act more responsibly than the worst operator because that worst operator will continue to be irresponsible. (I am only translating, not agreeing.) I'm not sure that I agree with this translation. I don't see *any* logic, just FUD as an excuse for failing to become educated about which problems 587 can help solve, the reduced problems that will exist when 587 is properly implemented by most networks, learning how easy it is to properly implement 587, educating your users about the benefits of using 587, etc. We saw all these same types of arguments (arguments due to implementation ignorance and fear of the support costs)10 years ago when we were trying to get networks to close open relays. In any case, nobody has expressed any new ideas around this topic for about a week, so I'd suggest we let it drop before somebody mis-represents Godwin's Law. Or take this topic to spam-l - where I feel it belonged in the first place. jc
Is there anything more to say on this subject? (was RE: Why do so few mail providers support Port 587?)
I've seen this thread go on for quite a while, and have been getting lots of when are you going to shut that thread down? types of queries. While not particularly off-topic, a lot of the responses do look pretty repetative. Therefore, I'd like to suggest that, unless you have something to say on this topic that hasn't already been said by somebody else, somewhere in this thread, and that's so important that the thousands of people on the NANOG list will want to see it, this thread should be brought to an end. This isn't a threat of censorship. It's a request for self control. -Steve Speaking for myself; not for the rest of the list administrators On Mon, 28 Feb 2005 [EMAIL PROTECTED] wrote: It's time to take this thread to SPAM-L or some other spam oriented list. I strongly disagree. This thread has not been about spam. For the most part it has dealt with technical operational issues of email services and therefore it is right on track for this list. --Michael Dillon Steve Gibbard [EMAIL PROTECTED] +1 415 717-7842 (cell) http://www.gibbard.org/~scg +1 510 528-1035 (home)
Re: Why do so few mail providers support Port 587?
Internal users: With AUTH - correlate message with authenticated user, then forbid mail transmission for them only. I'd rather do that than slog through RADIUS logs. But, hey, maybe if I had more free time... Increasing the detail of an audit trail doesnt mean anyone will automatically use the information in an effective manner. This is why we need an Internet Mail Services Association in which email operators set standards and agree on how to operate the Internet email transport system. This group would have the goal of providing a high quality email service to all users. If that quality standard includes maintaining and using an audit trail, then the association members will do so. You cannot solve email operational problems by purely technical means. --Michael Dillon
RE: Why do so few mail providers support Port 587?
It's time to take this thread to SPAM-L or some other spam oriented list. I strongly disagree. This thread has not been about spam. For the most part it has dealt with technical operational issues of email services and therefore it is right on track for this list. --Michael Dillon
Re: Why do so few mail providers support Port 587?
In message [EMAIL PROTECTED], Sean Donelan writes: Requiring end-user computers to use authenticated Port 587 and blocking end-user computers access to port 25 has several advantages: 2. Lets the authenticated mail server conduct additional anti-virus checks on outgoing mail even if the end-user's computer was compromised or out-of-date virus definitions. 3. Separates authenticate mail submission (port 587) from other mail protocols (25, 110, 143, etc) simplfying network controls (no deep-packet inspection) for end-user computers. Eliminates some of the existing problems with trying to do transparent proxying of port 25 from end-user computers. What these two boil down it is a much simpler mail system architecture, which in turn translates to a more secure mail system and an easier-to-administer one. Consider the control flow if you're trying to use port 25 for everything: Send a 220 If you see an EHLO, advertise that you support STARTTLS If you receive a STARTTLS and another EHLO, advertise that you support AUTH -- you don't want to do authentication over insecure connections, especially if your goal is to support roaming wireless users. Accept inbound email. Check if the user was authenticated. If so, permit relaying; also do rate checks. If not, don't permit relaying, but do run anti-spam software. Do virus checks. If authenticated, notify the sender that either their machine is infested with *something* or their credentials have been stolen. If unauthenticated, discard; it's probably a joe job. The point is that authenticated status has to be retained and checked frequently. If you're using 587, the subscriber flow is like this: Send a 220 Don't accept anything until you see STARTTLS Don't do anything until you see an AUTH Accept inbound mail, do rate checks and virus checks, and bounce accordingly For port 25: Send a 220 Optionally permit (but don't require) STARTTLS Accept inbound mail. Do virus and spam checks, and drop as needed. Don't permit relaying Both are simpler; neither requires retained global state.
Re: Why do so few mail providers support Port 587?
On Sat, Feb 26, 2005 at 03:10:42PM +0100, JP Velders wrote: From a security stance (well - partly ;D) I always like to emphasize that in The Real World port 25 is for traffic between MTA's *and* submission of mails to the local MTA. So to reduce the chance of one of my users abusing an Open Relay and to enforce corporate e-mail policies, only port 25 towards our mailserver is open. I do not know about your E-Mail Policy, but normally it is either allowed to use an external mailserver or not. If it is allowed, I can as well allow Port 25 outgoing. If it is not I will block 25 and 587. Port 587 on the other hand is meant for submission by clients. The security implications of allowing my users to contact such a port are very very low. If someone won't secure his mailserver on port 587, that's something different, but substantially different than if it were insecure on port 25... An interesting theory. What is the substantial difference? For me the security implications of allowing the user to bypass our mailsystem on port 25 and allowing the user to bypass our mailsystem on port 587 are not as obvious as they maybe are to you. Nils
Re: Why do so few mail providers support Port 587?
On Mon, 28 Feb 2005 16:54:23 EST, Nils Ketelsen said: An interesting theory. What is the substantial difference? For me the security implications of allowing the user to bypass our mailsystem on port 25 and allowing the user to bypass our mailsystem on port 587 are not as obvious as they maybe are to you. The big difference is that if they connect on outbound 25, they're basically unauthenticated at the other end. Port 587 should be authenticated, which means that the machine making the connection out is presumably a legitimate user of the destination mail server. If you're managing a corporate network, then yes, the distinction isn't that obvious, as you're restricting your own users. If you're running an ISP, you're being paid to *connect* people to other places, and making it more difficult than necessary is.. well... a Randy Bush quote. ;) pgpa6T1DY9Pcq.pgp Description: PGP signature
RE: Why do so few mail providers support Port 587?
Hi Folks, It's time to take this thread to SPAM-L or some other spam oriented list. Thanks in advance, -M -- Martin Hannigan (c) 617-388-2663 VeriSign, Inc. (w) 703-948-7018 Network Engineer IV Operations Infrastructure [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of just me Sent: Friday, February 25, 2005 5:26 PM To: Frank Louwers Cc: nanog@merit.edu Subject: Re: Why do so few mail providers support Port 587? On Fri, 25 Feb 2005, Frank Louwers wrote: The trick is to config port 587 in such a way that it ONLY accepts smtp-auth mail, not regular smtp. That way, virii/spam junk won't be able to use that port. What are you, stupid? The spammers have drone armies of machines with completely compromised operating systems. What makes you think that their mail credentials will be hard to obtain? matt ghali [EMAIL PROTECTED]darwin The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
Re: Why do so few mail providers support Port 587?
[Note reply-to] On Fri, Feb 25, 2005 at 02:45:40PM -0500, [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: On Fri, 25 Feb 2005 12:56:50 EST, [EMAIL PROTECTED] said: Sorry, I misread that. But I still fail to see how 587 changes that. [snip] Yes. Authenticated SMTP makes tracking down which of your users is doing the spamming easier. But you're assuming that SMTP AUTH isn't being used on port 25 already. You can do SMTP AUTH just as easily on [snip] You do not authenticate every transaction on 25, else you wouldn't be getting any smtp from the real world. The point is that you can trivially sort must be authenticated vs is unknown as opposed to inspecting messages on dunno if might be anything port. Reducing the problem space is always a Good Thing. The real funny thing is that o started to write back to the earlier incarnation of this thread. Pasted below because it still applies. I'd rephrase Sean's question as 'why do so few SMALL mail providers [...]'. Bluntly, if AOL/etc can do it with their customer base then the 'bad' laziness is the only reason not to do so, or to rgue against those who wish to do so. On Tue, Feb 15, 2005 at 09:00:11PM -0500, Sean Donelan wrote: [snip] Seans rhetorical subject line was answered quite adequately by the rampant ignorance in the knee-jerk responses of those who have obviously not read the RFC in its many years of availability, thought about the consequences, nor been down the road of implementation. Rather than armchair nattering, come to the discussion prepared or sit on the sidelines and observe. If you haven't done your homework, you are Not Tall Enough To Ride This Ride and go to the queue for the spinning teacups. The beauty of what we've all been building for all these years is it is all documented; given a brain and desire you can go from clueless to clueful purely through self-educating. If you are expecting to be spood-fed then please return to the flow charts and MOPs of vendor certifications. Questions regarding the spec, document, implementations thereof are useful and have popped up, but in general there's a really sad trend of uninformed chattering. -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
Re: Why do so few mail providers support Port 587?
Date: Thu, 24 Feb 2005 16:08:42 -0500 From: Nils Ketelsen [EMAIL PROTECTED] To: nanog@merit.edu Subject: Re: Why do so few mail providers support Port 587? On Tue, Feb 15, 2005 at 09:00:11PM -0500, Sean Donelan wrote: [ ... ] What can be done to encourage universities and other mail providers with large roaming user populations to support RFC2476/Port 587? Give a good reason. That is still the missing part. From a security stance (well - partly ;D) I always like to emphasize that in The Real World port 25 is for traffic between MTA's *and* submission of mails to the local MTA. So to reduce the chance of one of my users abusing an Open Relay and to enforce corporate e-mail policies, only port 25 towards our mailserver is open. Port 587 on the other hand is meant for submission by clients. The security implications of allowing my users to contact such a port are very very low. If someone won't secure his mailserver on port 587, that's something different, but substantially different than if it were insecure on port 25... Now if you turn that around, you see why we opted to support SMTP Auth on port 587 and have left our legacy mailhub running on port 25 ;) I have users roaming around the world - on company business. And my users also entertain the same kind of roaming users. Now, if I want to have my users be able to connect to my mailserver on port 587 from anywhere in the world, I should also allow guests over here to do the same to their mailserver on port 587. It works both ways after all ;) Nils Kind regards, JP Velders
Re: Why do so few mail providers support Port 587?
Paul Vixie wrote: well, in sbc-dsl-land, port 25 and port 587 are blocked, but port 26 gets through. it seems bizarre that port 587 would ever be blocked I suspect that was some kind of temporary aberration. SBC started blocking port 25 in the last two months, and during that time I've helped at least a dozen of our customers using SBC DSL switch their mail program settings from port 25 to port 587, with no trouble -- it worked in every case. I bet it works if you try it again now (as you say, blocking port 587 makes no sense). -- Robert L Mathews
Re: Why do so few mail providers support Port 587?
(as you say, blocking port 587 makes no sense). Let me get this straight... it makes no sense to block a port that will allow unlimited relaying of all sorts of malware by only verifying an easily purchased or stolen username and password? If someone uses a big-ISP network to forward business impacting malware thorough your small-biz email server, using questionably gained 587 credentials, who is going to get sued? Is it safe enough for the big-ISP to say we just route whatever our customer de'jour sends? I am against port blocking as much as the next guy, I just see port 587 as a disaster waiting to happen. ISP provided email credentials are universally transmitted in plain text. If an (insert any ISP here) employee can be arrested for selling email addresses to spammers, what keeps them from collecting and selling 587 credentials? I understand that ISPs are trying to find a roaming solution for your customers. I just want you to find one that is *better* than simple port-587-auth-before-open-relay. For starters I would recommend that 587 access NOT be enabled by default for all users. Let it be by special request, and even then with some teeth involved. -Jim P.
Re: Why do so few mail providers support Port 587?
On Sat, 26 Feb 2005, Jim Popovitch wrote: I am against port blocking as much as the next guy, I just see port 587 as a disaster waiting to happen. ISP provided email credentials are universally transmitted in plain text. If an (insert any ISP here) employee can be arrested for selling email addresses to spammers, what keeps them from collecting and selling 587 credentials? If you limit port 587 sending to let's say 1000 email per day you probably cover 99.9% of all normal users, and you're very likely to catch the spammers abusing an account. -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
Re: Why do so few mail providers support Port 587?
jm Date: Fri, 25 Feb 2005 15:13:04 -0800 (PST) jm From: just me jm Internal users: With AUTH - correlate message with authenticated user, jm then forbid mail transmission for them only. I'd rather do that than jm slog through RADIUS logs. But, hey, maybe if I had more free time... jm Increasing the detail of an audit trail doesnt mean anyone will jm automatically use the information in an effective manner. Fingerprints and DNA analysis are equally useless, I suppose. jm Without auth, most ISPs could correlate abuse behavior between MTA jm logs and RADIUS logs, if they cared. Most don't. SMTP AUTH won't jm change that. I guess it's probably fallacious to argue from the viewpoint of ISPs caring. Please pardon my Freudian slip. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
RE: Why do so few mail providers support Port 587?
SD Date: Sat, 26 Feb 2005 00:24:16 -0500 (EST) SD From: Sean Donelan SD Sigh, if even the network professionals have difficulty understanding SD how things work, what hope is there for the rest of the users. Funny you should say that. I frequently comment that the average service provider of today is less competent and more apathetic than the average end user of a decade ago. I'd absolutely _love_ to be proven wrong. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Re: Why do so few mail providers support Port 587?
[reposting this to nanog, as my answer might be reasonably ontopic] On Fri, Feb 25, 2005, Brad Knowles wrote: At 8:05 AM + 2005-02-25, Adrian Chadd wrote: Because your MUA doesn't support SSL on what it considers to be non-standard ports? Because your ISP won't let you set up an ssh tunnel instead? Because there would be no other way to keep your mail connection secure, if SSL and ssh are denied to you? Which MUA, that you/your users are using, won't let you run SSL on port 587? Apparently, many Microsoft MUAs don't support that kind of thing. Thats strange. I'm sure I've had outlook 200x speak SSL on 587. I've only ever had issues with Outlook parsing unsigned SSL certificates - it'll complain, then randomly crash. Other MUAs don't support SSL at all, and therefore if you want to secure their communications, they either have to be tunneled over ssh, or you have to use a VPN. Well, thats a bit silly then. There's SSL wrappers to use to fake SSL but you shouldn't have to. Rightio. It may be the case that its less of an MTA configuration issue and more of an MUA issue. Adoption rates may be higher if popular MUAs supported AUTH SMTP/SSL over port 587. Adrian -- Adrian ChaddYou don't have a TV? Then what's [EMAIL PROTECTED] all your furniture pointing at?
Re: Why do so few mail providers support Port 587?
On Fri, Feb 25, 2005 at 02:30:01AM -0500, Jim Popovitch wrote: On Thu, 2005-02-24 at 23:36 -0500, [EMAIL PROTECTED] wrote: The rest of us run mail services in the real world, where lots of users buy laptops, and then actually gasp, shock *use* the portability and thus often end up behind some other ISP's port-25 block. Why not a VPN solution. If you have mail servers that your users need, chances are that you also have file servers, internal web servers. calender servers, etc. Should file/web/calender servers all open one port or internal access and a second port for authenticated external access? That might work for corporate networks, but not for hosting providers, isps, etc. We have about 1 domains we manage, a lot of them have active mail users. Imagine a (low) average of 5 mailboxes per domain. That would mean my team would have to support 5 VPN connections? No thank you! Furthermore, to setup a vpn, you need extra software, there are the issues when you are behind a NAT (or even double-NAT) etc. Almost all MUA's support auth-smtp on port 587, and thus this can be used from anywere (cyber-cafe when you are on holiday, pda's, even some cellphones, ...). BTW: Belgium's two biggest isps _do_ block tcp/25 outgoing... Kind Regards, Frank Louwers -- Openminds bvbawww.openminds.be Tweebruggenstraat 16 - 9000 Gent - Belgium
RE: Why do so few mail providers support Port 587?
[EMAIL PROTECTED] wrote: On Thu, 24 Feb 2005 16:51:50 EST, [EMAIL PROTECTED] said: There seem to be many who feel there is no overwhelming reason to support 587. I can certainly see that point of view, but I guess my question is what reasons do those of you with that viewpoint have *not* to implement it? I just don't see the harm in either configuring your MTA to listen on an extra port, or just forward port 587 to 25 at the network level. Other than a few man-hours for implementation what are the added costs/risks that make you so reluctant? What am I missing? You *don't* want to just forward 587 to 25. You want to to use SMTP AUTH or similar on 587 to make sure only *your* users connect to it as a mail injection service (unless, of course, you *want* to be a spam relay ;) I guess my assumption was that SMTP AUTH was already configured on port 25. :-) That's how we're doing it -- I've opened up port 587 more as a move to help roaming users get around port 25 blocks imposed by various ISP's around the country than anything else. For us it was a fairly trivial change to make, which is why I was inquiring as to the apparent strenuous reluctance on the part of some to do the same. Andrew
Re: Why do so few mail providers support Port 587?
On 2/25/2005 3:16 AM, Adrian Chadd wrote: [reposting this to nanog, as my answer might be reasonably ontopic] On Fri, Feb 25, 2005, Brad Knowles wrote: At 8:05 AM + 2005-02-25, Adrian Chadd wrote: Because your MUA doesn't support SSL on what it considers to be non-standard ports? Because your ISP won't let you set up an ssh tunnel instead? Because there would be no other way to keep your mail connection secure, if SSL and ssh are denied to you? Which MUA, that you/your users are using, won't let you run SSL on port 587? Apparently, many Microsoft MUAs don't support that kind of thing. Thats strange. I'm sure I've had outlook 200x speak SSL on 587. The problem with OE (and probably O) is that it only supports SMTP-SSL carrier sessions rather than StartTLS sessions, especially when alternate ports are involved. Note that StartTLS is the standard, not SMTPS which was registered as informational and has been deprecated to boot. If you are using lots of MS clients, you have to give up on the idea of running 100% encrypted communications over port 587. Not that anybody is stopping you from setting up TLS-only on 587 and SMTPS on some other port... -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: Why do so few mail providers support Port 587?
On Thu, Feb 24, 2005 at 04:02:20PM -0700, Smoot Carl-Mitchell wrote: On Thu, 2005-02-24 at 17:14 -0500, Jim Popovitch wrote: If supporting one port is y hours of time and headache, then two ports is closer to y*2 than y (some might argue y-squared). 587 has some validity for providers of roaming services, but who else? Why not implement 587 behavior (auth from the outside coming in, and accept all where destin == this system) on 25 and leave the rest alone? I did run into a case where supporting port 587 was useful. I found out the hard way that one Internet service provider for hotels blocked outbound port 25, but not 587. So sending outbound mail to my mail relay would have been impossible without support for port 587. It's so funny. On this list many argued Port 25 outgoing must be blocked only to notice, that users actually seem to need it to send mail. Now we must configure our mailservers to listen on 587 to circumvent these filters, that were stupid in the first place. Now to my prophecy mode: Spammers will start using 587 to spam, which we then also all block outgoing, notice again that customers still want to send mail and open another port ... 652 maybe. But this in a while (true) loop until we run out of ports. This is completely ridiculous. Nils
Re: Why do so few mail providers support Port 587?
On Thu, Feb 24, 2005 at 11:36:40PM -0500, [EMAIL PROTECTED] wrote: Well, OK. If you know for a *fact* that your users *never* roam, and you have sufficiently good control of your IP addresses that you can always safely decide if a given connection is inside or outside and allow them to relay based on that, then no, you don't need to support 587. The rest of us run mail services in the real world, where lots of users buy laptops, and then actually gasp, shock *use* the portability and thus often end up behind some other ISP's port-25 block. I force anyone, who wants to relay to use SMTP-AUTH on port 25. Only mails for local delivery are accepted without AUTH. Whats point in opening another port? I use this mailserver from a lot of different networks and it works fine. If a provider blocks port 25 I call them, ask them to cahnge it, if they don't I cancel my contract, because they don't do there Job (forwarding IP). Nils
RE: Why do so few mail providers support Port 587?
[EMAIL PROTECTED] wrote: On Thu, Feb 24, 2005 at 04:02:20PM -0700, Smoot Carl-Mitchell wrote: On Thu, 2005-02-24 at 17:14 -0500, Jim Popovitch wrote: If supporting one port is y hours of time and headache, then two ports is closer to y*2 than y (some might argue y-squared). 587 has some validity for providers of roaming services, but who else? Why not implement 587 behavior (auth from the outside coming in, and accept all where destin == this system) on 25 and leave the rest alone? I did run into a case where supporting port 587 was useful. I found out the hard way that one Internet service provider for hotels blocked outbound port 25, but not 587. So sending outbound mail to my mail relay would have been impossible without support for port 587. It's so funny. On this list many argued Port 25 outgoing must be blocked only to notice, that users actually seem to need it to send mail. Now we must configure our mailservers to listen on 587 to circumvent these filters, that were stupid in the first place. Now to my prophecy mode: Spammers will start using 587 to spam, which we then also all block outgoing, notice again that customers still want to send mail and open another port ... 652 maybe. But this in a while (true) loop until we run out of ports. That's being a bit disingenuous. The discussion here hasn't been to open up port 587 to relay for all comers, but rather to open it up for authenticated use only. If spammers start using it, then it's a result of either poor authentication security or an understaffed abuse department. I'll agree with you on one thing, though -- the whole business of port 587 is a bit silly overall...why can't the same authentication schemes being bandied about for 587 be applied to 25, thus negating the need for another port just for mail injection? Andrew
Re: Why do so few mail providers support Port 587?
Nils Ketelsen wrote: On Thu, Feb 24, 2005 at 11:36:40PM -0500, [EMAIL PROTECTED] wrote: Well, OK. If you know for a *fact* that your users *never* roam, and you have sufficiently good control of your IP addresses that you can always safely decide if a given connection is inside or outside and allow them to relay based on that, then no, you don't need to support 587. The rest of us run mail services in the real world, where lots of users buy laptops, and then actually gasp, shock *use* the portability and thus often end up behind some other ISP's port-25 block. I force anyone, who wants to relay to use SMTP-AUTH on port 25. Only mails for local delivery are accepted without AUTH. Whats point in opening another port? I use this mailserver from a lot of different networks and it works fine. If a provider blocks port 25 I call them, ask them to cahnge it, if they don't I cancel my contract, because they don't do there Job (forwarding IP). Nils Let us know how that goes the next time you are consulting at a cable-internet customer site with your laptop..yes you will use ssh. The priority of a network service provider should be in this order 1) Keep the network up 2) Keep the network un-abusive (this is a long-term extension of 1 because an internetwork of abusive networks wont last long) 3) Forward customers packets SO if they block outbound direct-to-mx port 25 spam, I would say they are doing their job very nicely indeed.
Re: Why do so few mail providers support Port 587?
[EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: On Thu, Feb 24, 2005 at 04:02:20PM -0700, Smoot Carl-Mitchell wrote: On Thu, 2005-02-24 at 17:14 -0500, Jim Popovitch wrote: If supporting one port is y hours of time and headache, then two ports is closer to y*2 than y (some might argue y-squared). 587 has some validity for providers of roaming services, but who else? Why not implement 587 behavior (auth from the outside coming in, and accept all where destin == this system) on 25 and leave the rest alone? I did run into a case where supporting port 587 was useful. I found out the hard way that one Internet service provider for hotels blocked outbound port 25, but not 587. So sending outbound mail to my mail relay would have been impossible without support for port 587. It's so funny. On this list many argued Port 25 outgoing must be blocked only to notice, that users actually seem to need it to send mail. Now we must configure our mailservers to listen on 587 to circumvent these filters, that were stupid in the first place. Now to my prophecy mode: Spammers will start using 587 to spam, which we then also all block outgoing, notice again that customers still want to send mail and open another port ... 652 maybe. But this in a while (true) loop until we run out of ports. That's being a bit disingenuous. The discussion here hasn't been to open up port 587 to relay for all comers, but rather to open it up for authenticated use only. If spammers start using it, then it's a result of either poor authentication security or an understaffed abuse department. I'll agree with you on one thing, though -- the whole business of port 587 is a bit silly overall...why can't the same authentication schemes being bandied about for 587 be applied to 25, thus negating the need for another port just for mail injection? Andrew In this while loop the break is that when authenticated customers abuse the authenticated service they will be terminated, not the service. I do not see a repeat step here. Oh you mean un-authenticated direct-to-mx spammable 587? Yes please, keep that turned off. We need 587 because trusted authentication in SMTP does not transit with the message. So there is no way to require authenticated email only from all systems that would be worth a damn. Therefore, the goal is to corall the message submitting users onto authentication required gateways into the smtp network and reserve the ability to only allow port 25 to known servers.
Re: Why do so few mail providers support Port 587?
On Fri, 25 Feb 2005 11:17:35 -0500, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: That's being a bit disingenuous. The discussion here hasn't been to open up port 587 to relay for all comers, but rather to open it up for authenticated use only. If spammers start using it, then it's a result of either poor authentication security or an understaffed abuse department. I'll agree with you on one thing, though -- the whole business of port 587 is a bit silly overall...why can't the same authentication schemes being bandied about for 587 be applied to 25, thus negating the need for another port just for mail injection? Port 587 is intended for authenticated mail relaying only. While you can set up authenticated relaying only on port 25, you still have to deal with spammers sending mail directly to your users on port 25. Blocking port 25 outbound from dynamic ips (dialups, dsl, cable, etc) helps a little bit .. But then you need an alternate port for relaying. I think using port 587 for authorized relaying and port 25 for normal smtp services works out well. I can't think of a valid reason to ever block port 587, and I can't see how spammers will use port 587 for spamming, unless they have a username/password for relaying.. Andrew -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
Re: Why do so few mail providers support Port 587?
On Fri, Feb 25, 2005 at 10:47:59AM -0500, Nils Ketelsen wrote: Now to my prophecy mode: Spammers will start using 587 to spam, which we then also all block outgoing, notice again that customers still want to The trick is to config port 587 in such a way that it ONLY accepts smtp-auth mail, not regular smtp. That way, virii/spam junk won't be able to use that port. Kind Regards, Frank Louwers -- Openminds bvbawww.openminds.be Tweebruggenstraat 16 - 9000 Gent - Belgium
Re: Why do so few mail providers support Port 587?
On Fri, Feb 25, 2005, Nils Ketelsen wrote: It's so funny. On this list many argued Port 25 outgoing must be blocked only to notice, that users actually seem to need it to send mail. Now we must configure our mailservers to listen on 587 to circumvent these filters, that were stupid in the first place. Now to my prophecy mode: Spammers will start using 587 to spam, which we then also all block outgoing, notice again that customers still want to send mail and open another port ... 652 maybe. But this in a while (true) loop until we run out of ports. kind of. the reason port 25 is filtered is because spammers were making direct connections from (host) to (domain MX). This isn't distiguishable from normal SMTP except by things like SPF which authenticate the /sender/ host. port 587 is different - the spammers can use it but the spam now passes through your ISP configured mailserver. much like how spammers are sometimes poking the registry/configuration to use configured MTAs since direct connection to domain MX servers isn't always working. so yes, it'll eventually be used by spammers but, by its very nature, the spam source will be easily identified and throttled at their end. adrian -- Adrian ChaddYou don't have a TV? Then what's [EMAIL PROTECTED] all your furniture pointing at?
Re: Why do so few mail providers support Port 587?
On 2/25/2005 10:51 AM, Nils Ketelsen wrote: On Thu, Feb 24, 2005 at 11:36:40PM -0500, [EMAIL PROTECTED] wrote: I force anyone, who wants to relay to use SMTP-AUTH on port 25. Only mails for local delivery are accepted without AUTH. Whats point in opening another port? There are lots of secondary benefits. One of my favorites is that I can reject mail session on port 25 from hosts that claim to be in my domain (all such mail is authenticated on port 587 or is coming from a pre-configured list of servers that already hit an exception, so any other connections on port 25 that HELO as ehsco.com are lying). There are lots of these kinds of non-trivial benefits. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: Why do so few mail providers support Port 587?
On 2/25/2005 11:17 AM, [EMAIL PROTECTED] wrote: department. I'll agree with you on one thing, though -- the whole business of port 587 is a bit silly overall...why can't the same authentication schemes being bandied about for 587 be applied to 25, thus negating the need for another port just for mail injection? It's not just authentication. Mail from local users might need some fix-up work done to it, like adding Date or Message-ID, or completing a mail-domain in an address, or doing some other kind of cleanup. You don't necesarily want to do that for server-server messages, since their absence is good spam-sign, but at the same time you do want to do it for user mail. You can also conduct different kinds of tests, perform different kinds of rate-limiting, map in different headers (auth, for example), and so forth. Separating your traffic is good management. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
RE: Why do so few mail providers support Port 587?
Joe Maimon wrote: We need 587 because trusted authentication in SMTP does not transit with the message. So there is no way to require authenticated email only from all systems that would be worth a damn. Local delivery only unless authenticated isn't worth a damn? Is this really that difficult?? Andrew
RE: Why do so few mail providers support Port 587?
[EMAIL PROTECTED] wrote: Joe Maimon wrote: We need 587 because trusted authentication in SMTP does not transit with the message. So there is no way to require authenticated email only from all systems that would be worth a damn. Local delivery only unless authenticated isn't worth a damn? Is this really that difficult?? Andrew Sorry, I misread that. But I still fail to see how 587 changes that. Trojans, viruses, etc. etc. etc. can still exploit the authentication system regardless of what port it operates on. Different port, same old problems. Andrew
Re: Why do so few mail providers support Port 587?
On Fri, 25 Feb 2005 02:30:01 EST, Jim Popovitch said: Why not a VPN solution. If you have mail servers that your users need, chances are that you also have file servers, internal web servers. calender servers, etc. We're talking ISPs and other mostly open providers, not corporate nets. Remember that a *big* part is the support nightmare of getting your 50,000 Joe Sixpack subscribers to pull down a menu and change a 25 to a 587. And you intend to make them purchase, install, and configure a VPN? Should file/web/calender servers all open one port or internal access and a second port for authenticated external access? Last I heard, if you have public and internal web content, Best Practices says to put then not on different ports, but *different hosts* - the public one out in your DMZ, and your internal one on your internal network. pgpNtYw0kdMWF.pgp Description: PGP signature
Re: Why do so few mail providers support Port 587?
On Fri, 25 Feb 2005 12:56:50 EST, [EMAIL PROTECTED] said: Sorry, I misread that. But I still fail to see how 587 changes that. Trojans, viruses, etc. etc. etc. can still exploit the authentication system regardless of what port it operates on. Different port, same old problems. It changes it only in that it becomes a *lot* easier for you to track down which of your users has a compromised machine. (It's a lot easier to just look at the Received: headers than have to take the hostname, chase it back through your logs, and all that - especially if the user is roaming and just caught something over their Aunt Tilly's unsecured wireless access point) pgpwzhVZRBWZ6.pgp Description: PGP signature
RE: Why do so few mail providers support Port 587?
[EMAIL PROTECTED] wrote: On Fri, 25 Feb 2005 12:56:50 EST, [EMAIL PROTECTED] said: Sorry, I misread that. But I still fail to see how 587 changes that. Trojans, viruses, etc. etc. etc. can still exploit the authentication system regardless of what port it operates on. Different port, same old problems. It changes it only in that it becomes a *lot* easier for you to track down which of your users has a compromised machine. (It's a lot easier to just look at the Received: headers than have to take the hostname, chase it back through your logs, and all that - especially if the user is roaming and just caught something over their Aunt Tilly's unsecured wireless access point) Yes. Authenticated SMTP makes tracking down which of your users is doing the spamming easier. But you're assuming that SMTP AUTH isn't being used on port 25 already. You can do SMTP AUTH just as easily on port 25 without having to re-educate your users and still net the same simplified tracking procedures that you mention. It sounds to me like what we should really be talking about is getting MTA operators to begin using SMTP authentication of some kind (any kind!), rather than harping on whether or not MTA's should accept mail on port 587... Andrew
RE: Why do so few mail providers support Port 587?
On Fri, 25 Feb 2005 [EMAIL PROTECTED] wrote: being used on port 25 already. You can do SMTP AUTH just as easily on port 25 without having to re-educate your users and still net the same simplified tracking procedures that you mention. It sounds to me like what we should really be talking about is getting MTA operators to begin using SMTP authentication of some kind (any kind!), rather than harping on whether or not MTA's should accept mail on port 587... Port 587 becomes useful because it allows you to firewall outbound port 25 from non-mail servers (IE -users), while allowing them to submit mail to other places. It's hard to say how it benefits YOU as a single person. But the separation benefits the Internet as a whole. It's a two part thing though. Blocking port 25 won't work without and alternative for users, and having mail submitted to relays on 587 isn't helpful if local admins don't block port 25 outbound for their users. However, with both of these in place, you stop the ability of every virus-infected host to send mail out directly to other people's mail servers. Forcing them through your mail relay gives you control: Your virus scanner can now detect the traffic, issue an alert, shut down the account, etc. So to answer Nil's original question, along the lines of giving him a reason to listen on port 587, the only selfish reason would be so your users behind port 25 firewalls can relay through your server. If you don't need that, that don't bother. Simply making this available has caused us really no additional support requests, it's maybe two lines in the sendmail.mc file. On the other hand, Optimum Online deciding to block outbound port 25 one (Saturday) morning caused quite a bit of support work. Had we not already been supporting 587 at that point, the work would have been far greater, if not for the techs, then for the salespeople trying to get new customers to replace all the ones we would have lost. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Re: Why do so few mail providers support Port 587?
On Fri, 25 Feb 2005, Frank Louwers wrote: The trick is to config port 587 in such a way that it ONLY accepts smtp-auth mail, not regular smtp. That way, virii/spam junk won't be able to use that port. What are you, stupid? The spammers have drone armies of machines with completely compromised operating systems. What makes you think that their mail credentials will be hard to obtain? matt ghali [EMAIL PROTECTED]darwin The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
Re: Why do so few mail providers support Port 587?
On Fri, 25 Feb 2005, just me wrote: What are you, stupid? The spammers have drone armies of machines with completely compromised operating systems. What makes you think that their mail credentials will be hard to obtain? What are you, stupid ? Run a virus scanner on your mail relay so you don't propogate any viruses. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Re: Why do so few mail providers support Port 587?
jm Date: Fri, 25 Feb 2005 14:25:48 -0800 (PST) jm From: just me jm What are you, stupid? The spammers have drone armies of machines jm with completely compromised operating systems. What makes you think jm that their mail credentials will be hard to obtain? Internal users: With AUTH - correlate message with authenticated user, then forbid mail transmission for them only. I'd rather do that than slog through RADIUS logs. But, hey, maybe if I had more free time... External users: They must send mail somehow. If saying You roam? Use this port! is too difficult, try explaining multiple profiles. Short of using 25/TCP on the service provider's network (which could be amusing for those using wholesale dialup providers), users need some way to pass email. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Re: Why do so few mail providers support Port 587?
On Fri, 25 Feb 2005, Christopher X. Candreva wrote: On Fri, 25 Feb 2005, just me wrote: What are you, stupid? The spammers have drone armies of machines with completely compromised operating systems. What makes you think that their mail credentials will be hard to obtain? What are you, stupid ? Run a virus scanner on your mail relay so you don't propogate any viruses. That certainly solves the problem in question, preventing compromised hosts from using their user's credentials to transmit AUTHed spam through their configured smarthost. No, wait, your comment is a total non sequitur. While AUTHed spam from zombies will be easier to detect and block, it is not the Magic Solution that many folks on this list are presenting it as. Most ISPs don't watch logs for the signs of abuse now, why would they magically change their behavior and monitor logs if they required auth? Just because there is more of an audit trail doesn't mean that it will be used. matt ghali [EMAIL PROTECTED]darwin The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
Re: Why do so few mail providers support Port 587?
On Fri, 25 Feb 2005, Edward B. Dreger wrote: Internal users: With AUTH - correlate message with authenticated user, then forbid mail transmission for them only. I'd rather do that than slog through RADIUS logs. But, hey, maybe if I had more free time... Increasing the detail of an audit trail doesnt mean anyone will automatically use the information in an effective manner. Without auth, most ISPs could correlate abuse behavior between MTA logs and RADIUS logs, if they cared. Most don't. SMTP AUTH won't change that. matt ghali [EMAIL PROTECTED]darwin The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
Re: Why do so few mail providers support Port 587?
On Fri, 25 Feb 2005, just me wrote: Most ISPs don't watch logs for the signs of abuse now, why would they magically change their behavior and monitor logs if they required auth? Just because there is more of an audit trail doesn't mean that it will be used. Because now the server sending viruses is their outgoing mail server, which will get blocked via the various DNSBL's instead of the end-user machine, which should be much more of an incentive t clean things up. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Re: Why do so few mail providers support Port 587?
On 02/25/05, just me [EMAIL PROTECTED] wrote: On Fri, 25 Feb 2005, Edward B. Dreger wrote: Internal users: With AUTH - correlate message with authenticated user, then forbid mail transmission for them only. I'd rather do that than slog through RADIUS logs. But, hey, maybe if I had more free time... Increasing the detail of an audit trail doesnt mean anyone will automatically use the information in an effective manner. Without auth, most ISPs could correlate abuse behavior between MTA logs and RADIUS logs, if they cared. Most don't. SMTP AUTH won't change that. I don't get it, Matt. Are you trying to tell us that because some ISP's don't care, the ISP's who /do/ care /shouldn't/ move their users to doing mail submissions on port 587? -- J.D. Falk uncertainty is only a virtue [EMAIL PROTECTED]when you don't know the answer yet
RE: Why do so few mail providers support Port 587?
On Fri, 25 Feb 2005 [EMAIL PROTECTED] wrote: Sorry, I misread that. But I still fail to see how 587 changes that. Trojans, viruses, etc. etc. etc. can still exploit the authentication system regardless of what port it operates on. Different port, same old problems. Sigh, if even the network professionals have difficulty understanding how things work, what hope is there for the rest of the users. Requiring end-user systems to use only authentication port 587 to send outbound mail means even if they are infected with trojans, viruses, etc, they will only be able to send mail via the (few) mail servers on which they have an authenticated account. Hopefully, then the local mail administrator could run server-based anti-virus/anti-spam checks on the outgoing e-mail from authenticated local users (including those users which may have had their anti-virus/anti-spam software compromised on the PC) before forwarding it to other mail servers on the Internet. When end-users systems have direct access to port 25 on all Internet mail servers, an end-user system infected with a trojan, viruses, etc will send mail to other mail servers on the Internet directly without needing to authenticate itself because mail servers still need to accept unauthenticated mail from anywhere for local delivery on Port 25. Waiting for complaints, installing network sniffers (assuming you can find a sniffer big enough) or conducting intrusive scans of the user's computers tends to be re-active rather than pro-active; and can result in a trojan or virus sending large quantities of mail directly from the infected computer. Of course, it would be great news and a good goal if end-user computers were never compromised and their anti-virus definitions were always up to date, and so on. But that is a bit unrealistic for unmanaged end-user systems. Requiring end-user computers to use authenticated Port 587 and blocking end-user computers access to port 25 has several advantages: 1. Reduces the number of mail servers to which an infected end-user computer has direct access without authentication. They still have indirect access if their authenticated mail server forwards it without further checks. 2. Lets the authenticated mail server conduct additional anti-virus checks on outgoing mail even if the end-user's computer was compromised or out-of-date virus definitions. 3. Separates authenticate mail submission (port 587) from other mail protocols (25, 110, 143, etc) simplfying network controls (no deep-packet inspection) for end-user computers. Eliminates some of the existing problems with trying to do transparent proxying of port 25 from end-user computers. 4. Allows the source network to make exceptions for individual addresses instead of trying to modify DUL RBL's used by destination mail servers if an end-user runs their own mail server. 5. Lets a roaming end-user computer use the same mail configuration when it is on its home network or on a remote network to access its primary authenticated mail server instead of needing to change to a different local network mail server. If all your users always use a VPN, this may be less important. But if none of those change you mind, nothing can force you to offer Port 587 authenticated mail submmission, VPN or web mail access for your users. If you choose not too, that is between you and your users. There is a good chance your users will experience problems when traveling or roaming unless you offer some of those alternatives.
Re: Why do so few mail providers support Port 587?
On Fri, 25 Feb 2005, J.D. Falk wrote: On 02/25/05, just me [EMAIL PROTECTED] wrote: Increasing the detail of an audit trail doesnt mean anyone will automatically use the information in an effective manner. Without auth, most ISPs could correlate abuse behavior between MTA logs and RADIUS logs, if they cared. Most don't. SMTP AUTH won't change that. I don't get it, Matt. Are you trying to tell us that because some ISP's don't care, the ISP's who /do/ care /shouldn't/ move their users to doing mail submissions on port 587? Of course not- and I eat my own dog food. Come March 1, I will be flipping the switch on a large number of mail policy reforms where I work, including mandatory SMTP AUTH for all campus users. It took a lot of pushing for me to get the policy in place. I believe that in the right environment (including one that I run) the additional control and accounting will be a positive tool. What I disagree with is the constant disingenuous suggestion made here that AUTH by itself has any impact on unwanted email. When the lights are on, but nobody is home, it doesnt matter how detailed the accounting is. And it seems that theres plenty of large providers around the world where this is the case. matt ghali [EMAIL PROTECTED]darwin The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
Re: Why do so few mail providers support Port 587?
On Fri, 25 Feb 2005, just me wrote: What I disagree with is the constant disingenuous suggestion made here that AUTH by itself has any impact on unwanted email. When the lights are on, but nobody is home, it doesnt matter how detailed the accounting is. And it seems that theres plenty of large providers around the world where this is the case. While you may be correct in theory, in the real world you don't have to outrun the bear, just the other guy. Although I still believe in an end-to-end Internet, it is hard to argue with real-life experience. Essentially every provider that has implemented port 25 blocks has seen a substantial drop in problems. The numbers are even better when they added the requirement for authenticated mail submission even for local users. These are the same providers, as you say have nobody home, so that variable didn't change. http://www.cox.com/sandiego/highspeedinternet/spamfaq.asp Since the implementation of the port 25 blocking procedure, Cox has seen significant decreases in the residential Cox High Speed Internet complaint counts for different abuse types impacted by the port 25 blocking. Port scanning complaints decreased by 36%, virus complaints by 41%, spam complaints by 52%, and open proxy by more than 78%. I'm not a complete idiot. Everyone expects the malware authors to adapt. Some already have. But when they do, you have made some progress in reducing the footprint back to just the mail servers accepting authenticated submissions instead of every end-user system on the Internet. Even at providers with nobody home, dealing with the problem at a few mail servers handling authenticated mail submission is significantly different than fixing millions of end-user PC's sending mail to any other system on the Internet.
Re: Why do so few mail providers support Port 587?
On Tue, Feb 15, 2005 at 09:00:11PM -0500, Sean Donelan wrote: Although RFC2476 was published in December 1998, its amazing how few mail providers support the Message Submission protocol for e-mail on Port 587. Even odder, some mail providers use other ports such as 26 or 2525, but not the RFC recommended Port 587 for remote authenticated mail access for users. I can not say anything about other providers, but I don't do it for a simple reason: I think it is completely pointless. What can be done to encourage universities and other mail providers with large roaming user populations to support RFC2476/Port 587? Give a good reason. That is still the missing part. Nils
Re: Why do so few mail providers support Port 587?
* Nils Ketelsen: What can be done to encourage universities and other mail providers with large roaming user populations to support RFC2476/Port 587? Give a good reason. That is still the missing part. From the MTA perspective, 25/TCP is the you are responsible for the message port, 587/TCP is the I will be responsible for the message port. In other words, the implied abuse management contracts differ significantly. However, this is mostly theory. I'm not sure if mail providers will try to pass responsibility for spam injected on 587/TCP to the ISP from whose address space the message was submitted. (They already do so for some parts of the abuse management process, e.g. law enforcement requests.)
Re: Why do so few mail providers support Port 587?
On Thu, Feb 24, 2005 at 04:20:33PM -0500, [EMAIL PROTECTED] wrote: On Thu, 24 Feb 2005 16:08:42 EST, Nils Ketelsen said: On Tue, Feb 15, 2005 at 09:00:11PM -0500, Sean Donelan wrote: What can be done to encourage universities and other mail providers with large roaming user populations to support RFC2476/Port 587? Give a good reason. That is still the missing part. If you're a roaming user from that provider, and you're at some other site that blocks or hijacks port 25, you can still send mail by tossing it to your main provider's 587. If that's not a good enough reason to And if I am a roaming user at some other site, that blocks or hijacks port 587? motivate the provider to support it, nothing will (except maybe when the users show up en masse with pitchforks and other implements of destruction...) Then, I believe, nothing will motivate me. Nils
Re: Why do so few mail providers support Port 587?
On Thu, 24 Feb 2005 16:08:42 EST, Nils Ketelsen said: On Tue, Feb 15, 2005 at 09:00:11PM -0500, Sean Donelan wrote: What can be done to encourage universities and other mail providers with large roaming user populations to support RFC2476/Port 587? Give a good reason. That is still the missing part. If you're a roaming user from that provider, and you're at some other site that blocks or hijacks port 25, you can still send mail by tossing it to your main provider's 587. If that's not a good enough reason to motivate the provider to support it, nothing will (except maybe when the users show up en masse with pitchforks and other implements of destruction...) pgpSLtn68COiD.pgp Description: PGP signature
RE: Why do so few mail providers support Port 587?
[EMAIL PROTECTED] wrote: On Thu, 24 Feb 2005 16:08:42 EST, Nils Ketelsen said: On Tue, Feb 15, 2005 at 09:00:11PM -0500, Sean Donelan wrote: What can be done to encourage universities and other mail providers with large roaming user populations to support RFC2476/Port 587? Give a good reason. That is still the missing part. If you're a roaming user from that provider, and you're at some other site that blocks or hijacks port 25, you can still send mail by tossing it to your main provider's 587. If that's not a good enough reason to motivate the provider to support it, nothing will (except maybe when the users show up en masse with pitchforks and other implements of destruction...) There seem to be many who feel there is no overwhelming reason to support 587. I can certainly see that point of view, but I guess my question is what reasons do those of you with that viewpoint have *not* to implement it? I just don't see the harm in either configuring your MTA to listen on an extra port, or just forward port 587 to 25 at the network level. Other than a few man-hours for implementation what are the added costs/risks that make you so reluctant? What am I missing? Andrew
Re: Why do so few mail providers support Port 587?
[EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: On Thu, 24 Feb 2005 16:08:42 EST, Nils Ketelsen said: On Tue, Feb 15, 2005 at 09:00:11PM -0500, Sean Donelan wrote: What can be done to encourage universities and other mail providers with large roaming user populations to support RFC2476/Port 587? Give a good reason. That is still the missing part. If you're a roaming user from that provider, and you're at some other site that blocks or hijacks port 25, you can still send mail by tossing it to your main provider's 587. If that's not a good enough reason to motivate the provider to support it, nothing will (except maybe when the users show up en masse with pitchforks and other implements of destruction...) There seem to be many who feel there is no overwhelming reason to support 587. I can certainly see that point of view, but I guess my question is what reasons do those of you with that viewpoint have *not* to implement it? I just don't see the harm in either configuring your MTA to listen on an extra port, or just forward port 587 to 25 at the network level. Other than a few man-hours for implementation what are the added costs/risks that make you so reluctant? What am I missing? Andrew What man hours? Thats the default setup for most sendmails!
RE: Why do so few mail providers support Port 587?
If supporting one port is y hours of time and headache, then two ports is closer to y*2 than y (some might argue y-squared). 587 has some validity for providers of roaming services, but who else? Why not implement 587 behavior (auth from the outside coming in, and accept all where destin == this system) on 25 and leave the rest alone? -Jim P. On Thu, 2005-02-24 at 16:51 -0500, [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: On Thu, 24 Feb 2005 16:08:42 EST, Nils Ketelsen said: On Tue, Feb 15, 2005 at 09:00:11PM -0500, Sean Donelan wrote: What can be done to encourage universities and other mail providers with large roaming user populations to support RFC2476/Port 587? Give a good reason. That is still the missing part. If you're a roaming user from that provider, and you're at some other site that blocks or hijacks port 25, you can still send mail by tossing it to your main provider's 587. If that's not a good enough reason to motivate the provider to support it, nothing will (except maybe when the users show up en masse with pitchforks and other implements of destruction...) There seem to be many who feel there is no overwhelming reason to support 587. I can certainly see that point of view, but I guess my question is what reasons do those of you with that viewpoint have *not* to implement it? I just don't see the harm in either configuring your MTA to listen on an extra port, or just forward port 587 to 25 at the network level. Other than a few man-hours for implementation what are the added costs/risks that make you so reluctant? What am I missing? Andrew
Re: Why do so few mail providers support Port 587?
On Thu, Feb 24, 2005 at 04:51:50PM -0500, [EMAIL PROTECTED] wrote: There seem to be many who feel there is no overwhelming reason to support 587. I can certainly see that point of view, but I guess my question is what reasons do those of you with that viewpoint have *not* to implement it? I just don't see the harm in either configuring your Oh thats easy: It creates costs (for implementing it on the servers and clients) and produces no benefit. MTA to listen on an extra port, or just forward port 587 to 25 at the network level. Other than a few man-hours for implementation what are the added costs/risks that make you so reluctant? What am I missing? You are missing the operational costs (has to be included in the regular failover tests, has to be monitored, has to be fixed if something breaks etc.) Any system I introduce is increasing risks and costs. If there is no benefit to justify these, I won't do it. Nils
Re: Why do so few mail providers support Port 587?
On Tue, Feb 15, 2005 at 09:00:11PM -0500, Sean Donelan wrote: Although RFC2476 was published in December 1998, its amazing how few mail providers support the Message Submission protocol for e-mail on Port 587. Even odder, some mail providers use other ports such as 26 or 2525, but not the RFC recommended Port 587 for remote authenticated mail access for users. well, in sbc-dsl-land, port 25 and port 587 are blocked, but port 26 gets through. it seems bizarre that port 587 would ever be blocked, but when i encountered it, port 26 was my next choice. perhaps other e-mail providers had the same problem and used the same plan-b. What can be done to encourage universities and other mail providers with large roaming user populations to support RFC2476/Port 587? Give a good reason. That is still the missing part. it's smtp that only works if you can authenticate. thus it's only useful for your own user population, and completely safe to leave open to the world (as long as your user population keeps their passwords safe, that is.) -- Paul Vixie
RE: Why do so few mail providers support Port 587?
On Thu, 2005-02-24 at 17:14 -0500, Jim Popovitch wrote: If supporting one port is y hours of time and headache, then two ports is closer to y*2 than y (some might argue y-squared). 587 has some validity for providers of roaming services, but who else? Why not implement 587 behavior (auth from the outside coming in, and accept all where destin == this system) on 25 and leave the rest alone? I did run into a case where supporting port 587 was useful. I found out the hard way that one Internet service provider for hotels blocked outbound port 25, but not 587. So sending outbound mail to my mail relay would have been impossible without support for port 587. -- Smoot Carl-Mitchell System/Network Architect email: [EMAIL PROTECTED] cell: +1 602 421 9005 home: +1 480 922 7313
Re: Why do so few mail providers support Port 587?
On Thu, 24 Feb 2005 16:51:50 EST, [EMAIL PROTECTED] said: There seem to be many who feel there is no overwhelming reason to support 587. I can certainly see that point of view, but I guess my question is what reasons do those of you with that viewpoint have *not* to implement it? I just don't see the harm in either configuring your MTA to listen on an extra port, or just forward port 587 to 25 at the network level. Other than a few man-hours for implementation what are the added costs/risks that make you so reluctant? What am I missing? You *don't* want to just forward 587 to 25. You want to to use SMTP AUTH or similar on 587 to make sure only *your* users connect to it as a mail injection service (unless, of course, you *want* to be a spam relay ;) The *real* problem is usually that the site is too clueless to figure out how to enable AUTH on 587, actually authenticate the user (which might involve something really complicated, like LDAP or RADIUS), and tell the script monkeys at first-level support what to tell the users. pgpLNA7xg8EjF.pgp Description: PGP signature
Re: Why do so few mail providers support Port 587?
Paul == Paul Vixie [EMAIL PROTECTED] writes: Paul well, in sbc-dsl-land, port 25 and port 587 are blocked, but Paul port 26 gets through. I have a port-587 relay on my network which is used by some sbc-dsl-land users... they don't appear to be blocked -- Andrew, Supernews http://www.supernews.com
Re: Why do so few mail providers support Port 587?
On Thu, 24 Feb 2005 17:14:17 EST, Jim Popovitch said: If supporting one port is y hours of time and headache, then two ports is closer to y*2 than y (some might argue y-squared). 587 has some validity for providers of roaming services, but who else? Why not implement 587 behavior (auth from the outside coming in, and accept all where destin == this system) on 25 and leave the rest alone? Well, OK. If you know for a *fact* that your users *never* roam, and you have sufficiently good control of your IP addresses that you can always safely decide if a given connection is inside or outside and allow them to relay based on that, then no, you don't need to support 587. The rest of us run mail services in the real world, where lots of users buy laptops, and then actually gasp, shock *use* the portability and thus often end up behind some other ISP's port-25 block. pgpoyKPFNoFtR.pgp Description: PGP signature
Re: Why do so few mail providers support Port 587?
On Thu, 2005-02-24 at 23:36 -0500, [EMAIL PROTECTED] wrote: The rest of us run mail services in the real world, where lots of users buy laptops, and then actually gasp, shock *use* the portability and thus often end up behind some other ISP's port-25 block. Why not a VPN solution. If you have mail servers that your users need, chances are that you also have file servers, internal web servers. calender servers, etc. Should file/web/calender servers all open one port or internal access and a second port for authenticated external access? -Jim P.
Re: Why do so few mail providers support Port 587?
On Fri, Feb 25, 2005, Jim Popovitch wrote: On Thu, 2005-02-24 at 23:36 -0500, [EMAIL PROTECTED] wrote: The rest of us run mail services in the real world, where lots of users buy laptops, and then actually gasp, shock *use* the portability and thus often end up behind some other ISP's port-25 block. Why not a VPN solution. If you have mail servers that your users need, chances are that you also have file servers, internal web servers. calender servers, etc. Should file/web/calender servers all open one port or internal access and a second port for authenticated external access? It'd be nice. :) Although, its different for ISP access. An office, sure, a VPN is possibly the right solution. But your ISP email account? Why VPN to your ISP just for that? Adrian -- Adrian ChaddYou don't have a TV? Then what's [EMAIL PROTECTED] all your furniture pointing at?
Re: Why do so few mail providers support Port 587?
* Sean Donelan: Yet another reason for supporting port 587 on your servers for remote authenticated mail submission from your users. If you don't support port 587, and use SPF, it may break when AOL or other providers re-direct port 25. http://www.heise.de/english/newsticker/news/56437 Has AOL notified anyone in advance? Quite a few provider-independent mail providers were caught by surprise.
Re: Why do so few mail providers support Port 587?
On 02/19/05, Florian Weimer [EMAIL PROTECTED] wrote: * Sean Donelan: Yet another reason for supporting port 587 on your servers for remote authenticated mail submission from your users. If you don't support port 587, and use SPF, it may break when AOL or other providers re-direct port 25. http://www.heise.de/english/newsticker/news/56437 Has AOL notified anyone in advance? Quite a few provider-independent mail providers were caught by surprise. Is there a mailing list that will reach all/most of these provider-independent mail providers? (If so, then that's where we should be having this discussion asking why they don't support port 587 yet.) -- J.D. Falk uncertainty is only a virtue [EMAIL PROTECTED]when you don't know the answer yet
Re: Why do so few mail providers support Port 587?
On Sat, 19 Feb 2005, J.D. Falk wrote: Has AOL notified anyone in advance? Quite a few provider-independent mail providers were caught by surprise. Is there a mailing list that will reach all/most of these provider-independent mail providers? (If so, then that's where we should be having this discussion asking why they don't support port 587 yet.) If there was a forum read by all/most of those provider-independent mail providers, that would be great. NANOG is one of the most widely read network operations mailing lists on the network. That is why items such as IANA assignments, root server changes, wide-scale outages are posted here. There are more specific mailing lists for some subjects, but they tend to be read by people who are already familar with the subject. The problem is how do reach people who don't read such lists and aren't familar with the subject. If you look through many different mailing list archives for the last eight years, you will find many different providers blocking port 25 and recommending support for port 587. And you will find people being surprised by the changes, or who knew about the changes but didn't do anything until they were personally affected.
Re: Why do so few mail providers support Port 587?
On Thu, 17 Feb 2005, Owen DeLong wrote: Chances are that the Sendmail team doesn't share your worm problems as most of them are not likely running unpatched windows boxes. You don't have to run Windowz systems to get hit by their blowback. And that's the problem, in a nutshell -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Why do so few mail providers support Port 587?
On Wed, 16 Feb 2005 [EMAIL PROTECTED] wrote:
Um, you actually have to work somewhat to get sendmail to support
unauthenticated submission on port 587. The default configuration
is that port 25 is unauthenticated (albeit with some restrictions
on relaying (only for local clients)) and port 587 is authenticated.
As such, I'm not sure why you seem to think that sendmail on port 587
is unauthenticated.
Umm.. because the Sendmail 8.13.3 tree has this:
DAEMON_OPTIONS(`Port=587, Name=MSA, M=E')
Yup. I posted to another NANOG thread a little while ago about when I
mentioned this failure of security to the Sendmail folks and was shot down
voraciously by Claus and argued into oblivion by Neil. They don't see this
as a security threat for some blissfully ignorant reason.
I'm still sitting on a m4 patch that, by default, disallows MSA submission
from any party not also permitted to *relay* (this means that IP list based
auth works, not just SMTP AUTH). It uses a new DaemonPortOptions flag, and
adds three ruleset lines.
Here's the actual message in which I proposed this and provided the diff.
The only thing missing here is one more op.me doc fix, but it's fuctionally
correct. The patch still works on 8.13.x.
=
Date: Wed, 16 Jun 2004 22:29:12 -0400 (EDT)
From: Todd Vierling [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: MSA-not-like-MTA diff deux
On Wed, 16 Jun 2004, Neil W Rickert wrote:
Relay permission is already logically necessary for legitimate users of
the MSA port, so this aspect can and should be enforced as mandatory.
If Relay permission is already logically necessary then what we are
already doing must meet your requirements.
Except that currently, the following part is not enforced:
3. MTAs should never contact the MSA port for anonymous mail delivery
injection.
because remote systems are indeed being allowed to inject mail anonymously,
so long as the RHS of the RCPT TO is local.
You would have done better to just submit a patch with a brief
explanation, and without the bogus claim that there is a security
hole.
Those of us who are deluged by a flood by wormspew, and fighting back
against it fiercely, consider this to be a huge security hole. Sendmail is
[when using the default out-of-the-box settings] allowing at least one worm
so far to propagate beyond the realm of port-25 filtering.
This is why I started by asking a question about it in a security context,
and was rather taken aback by what appeared (to me) to be denial of the
problem's existence. Rather, it only appears to be that the members of the
Sendmail author team haven't -- yet -- seen the detrimental effects of a
MTA-as-MSA port to quite the degree that some others of us already have.
I apologize for my misinterpretation. To level the issue a bit:
Maybe at this stage you should extend the patch to cover the
documentation (cf/README and maybe doc/op/op.me (for the proposed new
modifier for DaemonPortOptions). Then resubmit and see what Claus
decides to do with it.
Attached below. Diff is against 8.12.11.
I used modifier `L' as a not Local meaning, given that the other uppercase
letters mean not Something, but maybe that's not so intuitive?[*] If you
think it should use a different option letter, let me know and I'll re-roll
the diff.
[*] As if rulesets are intuitive. But then, I did write a text search algo
in m4 some ages ago 8-)
=
--- doc/op/op.me.orig Wed Jun 16 22:01:02 2004
+++ doc/op/op.meWed Jun 16 22:11:05 2004
@@ -6457,11 +6457,15 @@
A disable AUTH (overrides 'a' modifier)
C don't perform hostname canonification
E disallow ETRN (see RFC 2476)
+L treat all mail as nonlocal; require relay permission (.cf)
O optional; if opening the socket fails ignore it
S don't offer STARTTLS
.)b
-That is, one way to specify a message submission agent (MSA) that
-always requires authentication is:
+The standard message submission agent (MSA) uses the ``L''
+modifier to restrict message submission only to clients that have
+mail relaying permission.
+A way to specify a message submission agent (MSA) that
+always requires SMTP AUTH based authentication is:
.(b
O DaemonPortOptions=Name=MSA, Port=587, M=Ea
.)b
@@ -6471,8 +6475,8 @@
.b ${daemon_flags} .
Notice: Do
.b not
-use the ``a'' modifier on a public accessible MTA!
-It should only be used for a MSA that is accessed by authorized
+use the ``a'' and/or ``L'' modifiers on a publicly accessible MTA!
+They should only be used for a MSA that is accessed by authorized
users for initial mail submission.
Users must authenticate to use a MSA which has this option turned on.
The flags ``c'' and ``C'' can change the default for
--- cf/m4/proto.m4.orig Sun Jan 11 12:54:06 2004
+++ cf/m4/proto.m4 Wed Jun 16 22:00:47 2004
@@ -347,7 +347,7 @@
ifelse(defn(`_DPO_'), `',
`ifdef(`_NETINET6_', `O DaemonPortOptions=Name=MTA-v4, Family=inet
O
Re: Why do so few mail providers support Port 587?
Chances are that the Sendmail team doesn't share your worm problems as most of them are not likely running unpatched windows boxes. Owen pgpXFCaZUIc43.pgp Description: PGP signature
Re: Why do so few mail providers support Port 587?
--On Wednesday, February 16, 2005 2:16 + Thor Lancelot Simon [EMAIL PROTECTED] wrote: On Tue, Feb 15, 2005 at 09:00:11PM -0500, Sean Donelan wrote: Sendmail now includes Port 587, although some people disagree how its done. But Exchange and other mail servers are still difficult for system administrators to configure Port 587 (if it doesn't say click here for Port 587 during the Windows installer, its too complicated). This is utterly silly. Running another full-access copy of the MTA on a different port than 25 achieves precisely nothing -- and this support has always been included in sendmail, with a 1-line change either to the source code (long ago) or the default configuration or simply by running sendmail from inetd. What benefit, exactly, do you see to allowing unauthenticated mail submission on a different port than the default SMTP port? The whole point of port 587 is that it should _NOT_ allow unauthenticated submission, where, port 25 generally MUST allow unauthenticated submission for at least some categories of destination addresses. If port 25 only gets used for MTA to MTA communications and port 587 can be used for CLIENT-MTA submissions on an authenticated only basis, there is some advantage to it. Admittedly, port 587 would be unnecessary if ISPs weren't blocking port 25, but, since they are, it is. Likely, if people started requiring SMTP AUTH often enough on port 25 for relay access, the port 25 blocks could be eliminated and port 587 could fade away. However, in the meantime, port 687 is a reasonable solution to the real world situation. Similarly, what harm, exactly, do you see to allowing authenticated mail submission on port 25? None. However, it's very hard to control at the router level whether your thousands of DSL users are making authenticated submission or non-authenticated submission to far-end mail servers. By blocking port 25 and knowing that almost anyone using 587 is probably recently enough up on RFCs to know not to allow unauthenticated submission, this becomes a reasonable compromise. Everyone requiring auth on port 25 for relay submission would be a better solution, but, is also an unrealistic view of the world. What will actually give us some progress on spam and on usability issues is requiring authentication for mail submission. Which TCP port is used for the service matters basically not at all. Yep, but, if we block virus-25 and support auth-587, then, we aren't allowing virus-25 by accident in the current environment. Owen -- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery. pgpMU5urCjLcV.pgp Description: PGP signature
Re: Why do so few mail providers support Port 587?
--On Tuesday, February 15, 2005 21:30 -0500 Sean Donelan [EMAIL PROTECTED] wrote: On Wed, 16 Feb 2005, Thor Lancelot Simon wrote: This is utterly silly. Running another full-access copy of the MTA on a different port than 25 achieves precisely nothing -- and this support has always been included in sendmail, with a 1-line change either to the source code (long ago) or the default configuration or simply by running sendmail from inetd. What benefit, exactly, do you see to allowing unauthenticated mail submission on a different port than the default SMTP port? Similarly, what harm, exactly, do you see to allowing authenticated mail submission on port 25? How do you tell the difference. Yes, you can run any protocol on any port. But Well-known ports have a better chance of working across today's Internet full of NAT and firewalls. By keeping authenticated and unauthenticated protocols on different ports, its easier to control the use of unauthenticated protocols at various middle-points in the network without affecting people using authenticated protocols. Port 25 accepts unauthenticated e-mail for various legacy reasons, which are not going to go away soon. Port 587 is supposed to be authenticated, although some programmers and system administrators think its too hard to ask for authentication. I would argue that in today's environment, a well implemented mailserver supports authenticated submission on ports 25 and 587, and, unauthenticated delivery on port 25. It may also support some level of unauthenticated submission by local users on port 25, if necessary. If you accept unauthenticated mail on Port 587, don't complain about the spam you are going to get. If you accept unauthenticated mail on port 587, the problem isn't the spam you will receive, it is the spam you will forward. Owen -- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery. pgpL0JCTuIBfq.pgp Description: PGP signature
Re: Why do so few mail providers support Port 587?
Um, you actually have to work somewhat to get sendmail to support unauthenticated submission on port 587. The default configuration is that port 25 is unauthenticated (albeit with some restrictions on relaying (only for local clients)) and port 587 is authenticated. As such, I'm not sure why you seem to think that sendmail on port 587 is unauthenticated. Sure, spammers will try anything that might work. However, for the moment, 587 is a reasonable pragma. Unauthenticated relays on 587 should definitely be blocked no questions asked. It's not that clear cut for 25. Owen --On Wednesday, February 16, 2005 2:36 + Thor Lancelot Simon [EMAIL PROTECTED] wrote: On Wed, Feb 16, 2005 at 02:23:04AM +, Adrian Chadd wrote: Quite useful when it works (read: the other party has implemented AUTH-SMTP on port 587). And if they's implemented unauthenticated SMTP on port 587, like, say, Sendmail, you've achieved nothing, or possibly worse, since you have encouraged people to simply run open relays on a different port than 25. How long do you think it's going to take for spammers to take advantage of this? (That's a rhetorical question: I already see spam engines trying to open port 587 connections in traces). Slavishly changing ports isn't the solution. Actually using authentication is the solution. It is silly -- to say the least -- to confuse the benefits of the two. Thor -- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery. pgpf5Anyqr6lC.pgp Description: PGP signature
Re: Why do so few mail providers support Port 587?
Thor Lancelot Simon wrote: On Tue, Feb 15, 2005 at 09:00:11PM -0500, Sean Donelan wrote: Sendmail now includes Port 587, although some people disagree how its done. But Exchange and other mail servers are still difficult for system administrators to configure Port 587 (if it doesn't say click here for Port 587 during the Windows installer, its too complicated). This is utterly silly. Running another full-access copy of the MTA on a different port than 25 achieves precisely nothing I think we have ignored/trivialized the obvious. Port 587 gives you the ability to class your connections as either MTA-MTA, Legacy User-MTA, MSP User -MTA. This is quite valuable as you now have the theoretical ability treat them differently. Whether that means different access/authentication/encryption/firewall/relay policies or whatever. If all one does is run a full copy on that port then *THEY* have gained almost nothing in practice, aside from further un-exploited capabilities. However we all gain from ever increasing, even if it is only incremental, support of well known RFC's. Specific MTA discussions aside, port 587 is a good thing, and the more of it the merrier.
Re: Why do so few mail providers support Port 587?
At 04:42 AM 2/16/2005, Owen DeLong [EMAIL PROTECTED] wrote: If you accept unauthenticated mail on port 587, the problem isn't the spam you will receive, it is the spam you will forward. ONLY if that unauthenticated sender is also permitted to RELAY. That is not a given. The decision to relay or not is separate from whether the user is authenticated with SMTP AUTH or some other method (IP address range, smtp-after-pop), just as it is on port 25. I'm not arguing for leaving port 587 wide open, but there are uses to allowing potr 587 and 25 to have the same rules, and not permit relay on either. This is necessary where SMTP-after-POP is still in use, for example, but does NOT imply open relay. Yes, authorized users (authorized by AUTH, smtp-after-pop, or IP address ranges) can still send mail (including spam, subject to enforcement) but that does NOT constitute open relay.
Re: Why do so few mail providers support Port 587?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thor Lancelot Simon wrote: | On Tue, Feb 15, 2005 at 09:00:11PM -0500, Sean Donelan wrote: | |Sendmail now includes Port 587, although some people disagree how |its done. But Exchange and other mail servers are still difficult |for system administrators to configure Port 587 (if it doesn't say |click here for Port 587 during the Windows installer, its too |complicated). | | | This is utterly silly. Running another full-access copy of the MTA | on a different port than 25 achieves precisely nothing -- Actually, it achives a number of things. First that comes to mind is to allow road-warriors to establish tls conections with the home mta by side-stepping hote and hotspot style mta proxies. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCE1/A0STXFHxUucwRAnzPAJ9dqTukhoF7fNpzZjTMAqRe7DunoQCaApJw h0/sB5P5205mmBp/+ZNfO4k= =G/2V -END PGP SIGNATURE-
Re: Why do so few mail providers support Port 587?
On Wed, 16 Feb 2005 01:46:09 PST, Owen DeLong said: --==04787AC3A7FDFBF67AA5== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Um, you actually have to work somewhat to get sendmail to support unauthenticated submission on port 587. The default configuration is that port 25 is unauthenticated (albeit with some restrictions on relaying (only for local clients)) and port 587 is authenticated. As such, I'm not sure why you seem to think that sendmail on port 587 is unauthenticated. Umm.. because the Sendmail 8.13.3 tree has this: (from cf/README): If DAEMON_OPTIONS is not used, then the default is DAEMON_OPTIONS(`Port=smtp, Name=MTA') DAEMON_OPTIONS(`Port=587, Name=MSA, M=E') from doc/op/op.me: That is, one way to specify a message submission agent (MSA) that always requires authentication is: .(b O DaemonPortOptions=Name=MSA, Port=587, M=Ea .)b Hmm.. no default 'a' to require authentication by default. That would probably explain why you actually have to work to set it up. pgpX6ufLV2S44.pgp Description: PGP signature
Re: Why do so few mail providers support Port 587?
Yet another reason for supporting port 587 on your servers for remote authenticated mail submission from your users. If you don't support port 587, and use SPF, it may break when AOL or other providers re-direct port 25. http://www.heise.de/english/newsticker/news/56437 with many questions related to this topic. The company was advising AOL customers affected to switch to message submission port 587, the signals from which were not being filtered by AOL, the spokesman said. This item of advice on switching coincides with that given by AOL itself. Not all mail providers accept messages from this port, however; and not every mail client allows users to freely select their SMTP port.
Re: Why do so few mail providers support Port 587?
On Tue, Feb 15, 2005 at 09:00:11PM -0500, Sean Donelan wrote: Sendmail now includes Port 587, although some people disagree how its done. But Exchange and other mail servers are still difficult for system administrators to configure Port 587 (if it doesn't say click here for Port 587 during the Windows installer, its too complicated). This is utterly silly. Running another full-access copy of the MTA on a different port than 25 achieves precisely nothing -- and this support has always been included in sendmail, with a 1-line change either to the source code (long ago) or the default configuration or simply by running sendmail from inetd. What benefit, exactly, do you see to allowing unauthenticated mail submission on a different port than the default SMTP port? Similarly, what harm, exactly, do you see to allowing authenticated mail submission on port 25? What will actually give us some progress on spam and on usability issues is requiring authentication for mail submission. Which TCP port is used for the service matters basically not at all. Thor
Re: Why do so few mail providers support Port 587?
On Wed, Feb 16, 2005, Thor Lancelot Simon wrote: Similarly, what harm, exactly, do you see to allowing authenticated mail submission on port 25? because then you can filter port 25 access to anywhere except your local mailserver, like we do here on campus, and suggest to people they use a VPN or Authenticated SMTP to port 587 to their ISP or company when they wish to use an external mail server. Quite useful when it works (read: the other party has implemented AUTH-SMTP on port 587). adrian -- Adrian ChaddYou don't have a TV? Then what's [EMAIL PROTECTED] all your furniture pointing at?
Re: Why do so few mail providers support Port 587?
On Wed, 16 Feb 2005, Thor Lancelot Simon wrote: This is utterly silly. Running another full-access copy of the MTA on a different port than 25 achieves precisely nothing -- and this support has always been included in sendmail, with a 1-line change either to the source code (long ago) or the default configuration or simply by running sendmail from inetd. What benefit, exactly, do you see to allowing unauthenticated mail submission on a different port than the default SMTP port? Similarly, what harm, exactly, do you see to allowing authenticated mail submission on port 25? How do you tell the difference. Yes, you can run any protocol on any port. But Well-known ports have a better chance of working across today's Internet full of NAT and firewalls. By keeping authenticated and unauthenticated protocols on different ports, its easier to control the use of unauthenticated protocols at various middle-points in the network without affecting people using authenticated protocols. Port 25 accepts unauthenticated e-mail for various legacy reasons, which are not going to go away soon. Port 587 is supposed to be authenticated, although some programmers and system administrators think its too hard to ask for authentication. If you accept unauthenticated mail on Port 587, don't complain about the spam you are going to get. What will actually give us some progress on spam and on usability issues is requiring authentication for mail submission. Which TCP port is used for the service matters basically not at all. In theory true, you could run a TELNET listener on Port 25 or 135. But the world works a bit better when most people follow the same practice. Port 587 is for authenticated mail message submission.
Re: Why do so few mail providers support Port 587?
Thor Lancelot Simon wrote: On Tue, Feb 15, 2005 at 09:00:11PM -0500, Sean Donelan wrote: Sendmail now includes Port 587, although some people disagree how its done. But Exchange and other mail servers are still difficult for system administrators to configure Port 587 (if it doesn't say click here for Port 587 during the Windows installer, its too complicated). This is utterly silly. Running another full-access copy of the MTA on a different port than 25 achieves precisely nothing -- and this support has always been included in sendmail, with a 1-line change either to the source code (long ago) or the default configuration or simply by running sendmail from inetd. What benefit, exactly, do you see to allowing unauthenticated mail submission on a different port than the default SMTP port? Similarly, what harm, exactly, do you see to allowing authenticated mail submission on port 25? What will actually give us some progress on spam and on usability issues is requiring authentication for mail submission. Which TCP port is used for the service matters basically not at all. In general, I have agreed with your point of view in the past. I will say, however, that recently I have slightly retraced my position. The only real benefit I see from it is that running multiple ports allows the mail server to provide different policies for clients to use. Ideally, this shouldn't be needed, but given that some mail client software doesn't allow the configuration options that are needed in some situations (Apple's Mail.app absolutely infuriates me at times), there are times that slightly different policies are needed, and the only really good way to do that is to run them on different ports. I guess you could think of it as having port 25 available for legacy support as more and more stuff moves to 587. authentication for mail submission would be wonderful if it were ubiquitous...and I'm doing my part (this message, and all others from me these days submitted to my ISP's system with SMTP AUTH over TLS...incidentally, they had to configure 587 in order to get the policies workable for the variety of mail clients that customers used...sad but true, they had no choice while maintaining any semblance of varied client support), alas, that day is still fairly far off...though it is getting closer. -- Jeff signature.asc Description: OpenPGP digital signature
Re: Why do so few mail providers support Port 587?
On Wed, Feb 16, 2005 at 02:23:04AM +, Adrian Chadd wrote: Quite useful when it works (read: the other party has implemented AUTH-SMTP on port 587). And if they's implemented unauthenticated SMTP on port 587, like, say, Sendmail, you've achieved nothing, or possibly worse, since you have encouraged people to simply run open relays on a different port than 25. How long do you think it's going to take for spammers to take advantage of this? (That's a rhetorical question: I already see spam engines trying to open port 587 connections in traces). Slavishly changing ports isn't the solution. Actually using authentication is the solution. It is silly -- to say the least -- to confuse the benefits of the two. Thor
Re: Why do so few mail providers support Port 587?
On Tue, Feb 15, 2005 at 09:30:18PM -0500, Sean Donelan wrote: In theory true, you could run a TELNET listener on Port 25 or 135. But the world works a bit better when most people follow the same practice. Port 587 is for authenticated mail message submission. I'm sorry, your last message seemed to indicate that you felt that Sendmail accepting unauthenticated mail on port 587 (if configured to accept unauthenticated mail at all) was not a problem; that, somehow, it was a *good* thing that it would happily apply the same policy to all ports it listened on, so long as one of those ports was 587. Is that not, in fact, your position? It is really hard for me to see encouraging people to run additional unauthenticated mail servers on some other port as a good idea, and it is really hard for me to read the actual text in your first message any other way than simply mail accepted on port 587 good. Thor
Re: Why do so few mail providers support Port 587?
On 2/15/05 9:36 PM, Thor Lancelot Simon [EMAIL PROTECTED] wrote: On Wed, Feb 16, 2005 at 02:23:04AM +, Adrian Chadd wrote: Quite useful when it works (read: the other party has implemented AUTH-SMTP on port 587). And if they's implemented unauthenticated SMTP on port 587, like, say, Sendmail, you've achieved nothing, or possibly worse, since you have encouraged people to simply run open relays on a different port than 25. How long do you think it's going to take for spammers to take advantage of this? (That's a rhetorical question: I already see spam engines trying to open port 587 connections in traces). Slavishly changing ports isn't the solution. Actually using authentication is the solution. It is silly -- to say the least -- to confuse the benefits of the two. Thor Thor, I don't think anyone is confusing the benefits. Sean's suggestion was quite clear. Run SMTP-Auth on port 587 and leave port 25 for email from other mail servers. There are lots of benefits to this approach. For one thing, it eliminates a lot of the reasons for provider email smarthosting, which needs to go away due to massive abuse. Sender email authentication will make smarthosting obsolete and users will need a different way of sending outgoing mail that isn't spam to their own mail servers for legitimate relay. ISPs filter port 25 outbound, but leave 587 open with the idea that users would have to authenticate against distant mail servers on that port. Everything works well. 587 running SMTP auth (and relaying for authenticated users) and port 25 for local (non relay) delivery without authentication should be the default on all servers. -- Daniel Golding Network and Telecommunications Strategies Burton Group
RE: Why do so few mail providers support Port 587?
I just get sick of providers blocking traffic...their job is to PASS TRAFFIC. There must be a better solution, but laziness is getting the better of us all, as usual. We've had so many problems with IP Providers blocking various IP PROTOCOLS that we've just ended up forcing all of our users to use VPN tunnels for everything...except when the providers block that!!! Then we're just screwed. Anyways, just my two cents... Please don't flame me, I'm just a lowly network guy:) - Erik -Original Message- From: Sean Donelan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 15, 2005 8:00 PM To: nanog@merit.edu Subject: Why do so few mail providers support Port 587? Although RFC2476 was published in December 1998, its amazing how few mail providers support the Message Submission protocol for e-mail on Port 587. Even odder, some mail providers use other ports such as 26 or 2525, but not the RFC recommended Port 587 for remote authenticated mail access for users. Large mail providers like AOL, GMAIL and Yahoo support authenticated mail on port 587; and some also support Port 465 for legacy SMTP/SSL. But a lot of universities and smaller mail providers don't. They still use SMTP Port 25 for roaming users. With ATT, Earthlink, COX, Netzero and other ISPs filtering port 25 for years, I would have thought most mail providers would have started supporting Port 587 by now. What can be done to encourage universities and other mail providers with large roaming user populations to support RFC2476/Port 587? What can be done to encourage the mail client software programers (i.e. Outlook, Eudora, etc) to make Port 587 the default (or at least the first try) and let the user change it back to port 25 (or automatically fallback) if they are still using a legacy mail server. Sendmail now includes Port 587, although some people disagree how its done. But Exchange and other mail servers are still difficult for system administrators to configure Port 587 (if it doesn't say click here for Port 587 during the Windows installer, its too complicated).
Re: Why do so few mail providers support Port 587?
On Tue, Feb 15, 2005, Erik Amundson wrote:
I just get sick of providers blocking traffic...their job is to PASS
TRAFFIC. There must be a better solution, but laziness is getting the
better of us all, as usual.
We've had so many problems with IP Providers blocking various IP
PROTOCOLS that we've just ended up forcing all of our users to use VPN
tunnels for everything...except when the providers block that!!! Then
we're just screwed.
Anyways, just my two cents...
Please don't flame me, I'm just a lowly network guy:)
I used to agree with this. This was, of course, until I started
being the poor sap at the end of the huge spam floods or massive DDoS
attacks.
My upstream provider blocks the following ports, just as an example:
deny tcp any gt 1023 any eq 445
deny tcp any gt 1023 any eq 135
deny tcp any gt 1023 any eq 1025
deny tcp any gt 1023 any eq 2745
deny tcp any gt 1023 any eq 6129
deny tcp any gt 1023 any eq 9898 syn
deny tcp any gt 1023 any eq 5554 syn
deny tcp any gt 1023 any eq 1023 syn
deny tcp any gt 1023 any eq 139
deny tcp any gt 1023 any eq 1433
deny tcp any gt 1023 any eq 3127
deny tcp any gt 1023 any eq 5000
deny udp any gt 1023 any eq 1026
deny udp any gt 1023 any eq 1027
deny udp any gt 1023 any eq 1028
deny udp any gt 1023 any eq 1029
deny udp any gt 1023 any eq netbios-ns
deny udp any eq 4000 any gt 1023
deny udp any gt 1023 any eq 1434
permit ip any any
.. and they've reported to me (and I wonder if they're on the nanog
list :) that they're seeing more traffic hit this ACL than 'normal'
traffic passing. This may not hold true for /all/ network traffic
and I'm sure a lot of you will be seeing different traffic patterns
but it still shocked me. I've had a few people request services
which this ACL does filter and my reply is now always use a VPN
or use a tunnel or buy ${SMALL_VPN_APPLIANCE}.
I don't like filtering. I liked the day when my ISPs mailserver would
break - so I'd just use another ISP for outbound mail until it was
fixed. Sob.
Adrian
--
Adrian ChaddYou don't have a TV? Then what's
[EMAIL PROTECTED] all your furniture pointing at?
Re: Why do so few mail providers support Port 587?
On Tue, 15 Feb 2005 21:50:23 -0500, Daniel Golding [EMAIL PROTECTED] wrote: Thor, 587 running SMTP auth (and relaying for authenticated users) and port 25 for local (non relay) delivery without authentication should be the default on all servers. Agreed! At the very least you get the benefit of an electronic trail to follow if one of your users *is* spamming.. :) If you only relay mail from authenticated users, drop (not bounce) any mail destined for a non-existant account, and use reasonable spam blocking and tagging, you should be able to reduce spam to a slow trickle.. It's working here, thus far... And I don't have authentication fully implemented yet. :) -- Daniel Golding Network and Telecommunications Strategies Burton Group -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
Re: Why do so few mail providers support Port 587?
dons ISP hat We get sick of blocking ports. We're little guys. About 10,000 users. Yesterday, we blocked 11025 connections either inbound to addresses that aren't mail servers, or outbound from addresses that aren't supposed to be mail servers. This is a case of those that know a little too much praying on those that don't know quite enough with those that don't have enough of anything trying to stop it from happening. I can't flame you. I fully agree with you. But until I can find a way to stop the Big Bad Wolf from huffing and puffing, the house will be made of bricks, and the door will be locked. Bob Martin Erik wrote: I just get sick of providers blocking traffic...their job is to PASS TRAFFIC. There must be a better solution, but laziness is getting the better of us all, as usual. We've had so many problems with IP Providers blocking various IP PROTOCOLS that we've just ended up forcing all of our users to use VPN tunnels for everything...except when the providers block that!!! Then we're just screwed. Anyways, just my two cents... Please don't flame me, I'm just a lowly network guy:) - Erik -Original Message- From: Sean Donelan [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 15, 2005 8:00 PM To: nanog@merit.edu Subject: Why do so few mail providers support Port 587? Although RFC2476 was published in December 1998, its amazing how few mail providers support the Message Submission protocol for e-mail on Port 587. Even odder, some mail providers use other ports such as 26 or 2525, but not the RFC recommended Port 587 for remote authenticated mail access for users. Large mail providers like AOL, GMAIL and Yahoo support authenticated mail on port 587; and some also support Port 465 for legacy SMTP/SSL. But a lot of universities and smaller mail providers don't. They still use SMTP Port 25 for roaming users. With ATT, Earthlink, COX, Netzero and other ISPs filtering port 25 for years, I would have thought most mail providers would have started supporting Port 587 by now. What can be done to encourage universities and other mail providers with large roaming user populations to support RFC2476/Port 587? What can be done to encourage the mail client software programers (i.e. Outlook, Eudora, etc) to make Port 587 the default (or at least the first try) and let the user change it back to port 25 (or automatically fallback) if they are still using a legacy mail server. Sendmail now includes Port 587, although some people disagree how its done. But Exchange and other mail servers are still difficult for system administrators to configure Port 587 (if it doesn't say click here for Port 587 during the Windows installer, its too complicated).
Re: Why do so few mail providers support Port 587?
At 09:00 PM 2/15/2005, you wrote: Although RFC2476 was published in December 1998, its amazing how few mail providers support the Message Submission protocol for e-mail on Port 587. Even odder, some mail providers use other ports such as 26 or 2525, but not the RFC recommended Port 587 for remote authenticated mail access for users. Large mail providers like AOL, GMAIL and Yahoo support authenticated mail on port 587; and some also support Port 465 for legacy SMTP/SSL. But a lot of universities and smaller mail providers don't. Lots of small companies support these as well, including hosting companies and smaller ISPs, and have done so for 5 or 6 years. They still use SMTP Port 25 for roaming users. With ATT, Earthlink, COX, Netzero and other ISPs filtering port 25 for years, I would have thought most mail providers would have started supporting Port 587 by now. What can be done to encourage universities and other mail providers with large roaming user populations to support RFC2476/Port 587? Get the software developers to do some useful programming. What can be done to encourage the mail client software programers (i.e. Outlook, Eudora, etc) to make Port 587 the default (or at least the first try) and let the user change it back to port 25 (or automatically fallback) if they are still using a legacy mail server. Don't forget enabling SMTP AUTH by default. Microsoft seems to only support SMTPS and POPS (alternate ports). Eudora finally supports TLS reasonably well now that they switched to using OpenSSL. While Eudora can be configured for port 587, it takes some doing, since users have to install the esoteric settings menu plugin or edit a config file. It'd be nice if the new account wizards actually got this stuff right. We give customers a document that walks them through the wizard, then walks them through fixing the things the wizard didn't do. Sendmail now includes Port 587, although some people disagree how its done. The configs for sendmail that come with RedHat have it listening only to 127.0.0.1 by default. The config file (.mc) has a good config line for port 587 documented and commented out. They also have a port 465 example, which has encryption required, but not AUTH. Is the proper configuration or proper examples the responsibility of sendmail developers, those packaging sendmail with systems, or those who deploy the software?
