Re: ????????: Anyone solely using SMTP Auth for outbound mail?
On 2011-07-22 mouss wrote: > Le 20/07/2011 22:15, Peter Tselios a écrit : >> Well, since I plan to move into the Postfix wagon, from scratch, I >> want to learn more about the 587 port submission and the blockage of >> port 25 for that. What are the best practices on the matter? Are >> there any documents on that? Soren how do you implement it? > > The new standard recommends using port 587 (now called "submission") > for mail submission, instead of overloading port 25. > > it is recommended that submission access requires authentication. Authentication is mandatory for mail submission, according to RFC4409. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
Re: Anyone solely using SMTP Auth for outbound mail?
Bernhard Rohrer wrote: > > seconded, only that submission is 587 ;) > Yes, of course! Stupid me :-)
Re: Anyone solely using SMTP Auth for outbound mail?
On 07/18/2011 06:35 PM, mouss wrote: > Le 18/07/2011 19:40, Søren Schrøder a écrit : >> I'm doing a 1.5M accounts setup with smtp-auth (submission tcp/587 using >> postfix with dovecot-auth) and a plain smtp/25 for an allowed range of IP's >> for our fixed IP customers >> >> The backend is openldap/postfix/dovecot >> >> > > are you a (relatively) large ISP? if so, how did you move to the > submission part? I am not asking about the tech part, but about the > customer relationship part. your experience may be helpful to others. > Whenever you get a support call, mention that you have a new, faster, server with more space and you're willing to upgrade them for free; all they'll have to do is change a few settings.
Re: Anyone solely using SMTP Auth for outbound mail?
Le 18/07/2011 19:40, Søren Schrøder a écrit : > I'm doing a 1.5M accounts setup with smtp-auth (submission tcp/587 using > postfix with dovecot-auth) and a plain smtp/25 for an allowed range of IP's > for our fixed IP customers > > The backend is openldap/postfix/dovecot > > are you a (relatively) large ISP? if so, how did you move to the submission part? I am not asking about the tech part, but about the customer relationship part. your experience may be helpful to others.
Re: Anyone solely using SMTP Auth for outbound mail?
I'm doing a 1.5M accounts setup with smtp-auth (submission tcp/587 using postfix with dovecot-auth) and a plain smtp/25 for an allowed range of IP's for our fixed IP customers The backend is openldap/postfix/dovecot -- Søren Schrøder. Obey Gravity - It's the law !
Re: Anyone solely using SMTP Auth for outbound mail?
On Mon, Jul 18, 2011 at 09:20:12AM -0400, Curtis Maurand wrote: > We use combination of POP/IMAP before SMTP or SMTP auth. Since this thread was about best practices, let's not sully it with dirty kludges. :) POP/IMAP-before-SMTP was an ugly workaround at best. It's not always going to work with mail clients; there is no standard for them to implement. It's also potentially weak and exploitable. SASL AUTH works. It's a real standard, so clients receive inband feedback on whether or not they can relay. It can be secured. I can understand not tearing down a working POP/IMAP-before-SMTP system, but definitely do not recommend that any new site should implement that kludge. Let it go away! -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
Re: Anyone solely using SMTP Auth for outbound mail?
We use combination of POP/IMAP before SMTP or SMTP auth. --C Bernhard Rohrer wrote: > > seconded, only that submission is 587 ;) > > > original message- > From: "Бак Микаел" mikael@yandex.ru > To: "Postfix users" > Date: Mon, 18 Jul 2011 12:59:05 +0200 > - > > >> l...@airstreamcomm.net wrote: >>> >>> To summarize, we think SMTP Auth is the simplest and most useful way to >>> allow people to send mail through our outbound mail system, and we are >>> hoping to get some feedback from the community regarding this >>> perspective. >>> >> >> Hi, >> I think it's a good idea. Additionally I suggest you enforce the traffic >> off port 25 and use the dedicated submission (586) for SMTP Auth and >> STARTTLS. Some older SMTP clients will not support STARTTLS properly. >> For them you can offer the same functionality on SMTPS (465) SSL/TLS. >> >> This way you'll have incomming SMTP traffic on port 25 and all outgoing >> on other, dedicated ports. Having separated them it is easier to >> implement different restrictions for incoming and outgoing traffic >> respectively. >> >> HTH, >> Mikael >> > > -- > - > Bernhard Rohrer Consulting > 529 Howth Road > Dublin 5, Ireland > > +353 87 7907 134 > >
Re: Anyone solely using SMTP Auth for outbound mail?
seconded, only that submission is 587 ;) original message- From: "Бак Микаел" mikael@yandex.ru To: "Postfix users" Date: Mon, 18 Jul 2011 12:59:05 +0200 - > l...@airstreamcomm.net wrote: >> >> To summarize, we think SMTP Auth is the simplest and most useful way to >> allow people to send mail through our outbound mail system, and we are >> hoping to get some feedback from the community regarding this perspective. >> > > Hi, > I think it's a good idea. Additionally I suggest you enforce the traffic > off port 25 and use the dedicated submission (586) for SMTP Auth and > STARTTLS. Some older SMTP clients will not support STARTTLS properly. > For them you can offer the same functionality on SMTPS (465) SSL/TLS. > > This way you'll have incomming SMTP traffic on port 25 and all outgoing > on other, dedicated ports. Having separated them it is easier to > implement different restrictions for incoming and outgoing traffic > respectively. > > HTH, > Mikael > -- - Bernhard Rohrer Consulting 529 Howth Road Dublin 5, Ireland +353 87 7907 134
Re: Anyone solely using SMTP Auth for outbound mail?
l...@airstreamcomm.net wrote: > > To summarize, we think SMTP Auth is the simplest and most useful way to > allow people to send mail through our outbound mail system, and we are > hoping to get some feedback from the community regarding this perspective. > Hi, I think it's a good idea. Additionally I suggest you enforce the traffic off port 25 and use the dedicated submission (586) for SMTP Auth and STARTTLS. Some older SMTP clients will not support STARTTLS properly. For them you can offer the same functionality on SMTPS (465) SSL/TLS. This way you'll have incomming SMTP traffic on port 25 and all outgoing on other, dedicated ports. Having separated them it is easier to implement different restrictions for incoming and outgoing traffic respectively. HTH, Mikael
Re: Anyone solely using SMTP Auth for outbound mail?
Le 15/07/2011 22:15, l...@airstreamcomm.net a écrit : > We are an ISP of about 60,000 customers, and in the past our systems were > setup to allow networks from mynetworks (a large number of IPs) as well as > a lookup table that allows users who have previously popped the server to > relay mail. We recently added SMTP Auth capability, and are seriously > considering moving solely to SMTP Auth for access to our outbound mail > system. Our reasoning is that compromised computers on our allowed > networks are free to send all the spam they want and we really don't have a > good way to track what users are sending the spam. We do have outbound > email filtering, so the spam doesn't leave the network. Another reason for > wanting to drop mynetworks and pop before smtp is simplification of our > systems. Keeping up with the IPs in mynetworks is a hassle, and the pop > before smtp seems redundant when you think these customers could be > authenticating with SMTP Auth. The best feature of SMTP Auth in our > opinion is that it leaves an audit trail of who is sending email, in what > quantity, and where they are connecting from, which allows us to track > spammers more effectively. > > To summarize, we think SMTP Auth is the simplest and most useful way to > allow people to send mail through our outbound mail system, and we are > hoping to get some feedback from the community regarding this perspective. > The big issue here isn't technical. it's about the cost of support when your customers call you because their old setup doesn't work anymore. I'd recommend taking a smooth path: - document your "future" setup, so that people can share it. after some time, "everybody" will know about it. this should reduce your support costs. - make it easy for people to use the "future" setup. write clear documentation, help pages, ... etc (actually, this is one thing that we should all work on, because it is "common"). - enforce the new setup for new customers - for other customers, send an email asking em to visit a link that explains the "new" setup. give'em an incentive to accept the new behaviour. back to tech stuff: it would be good to move to port 587 (submission) with TLS and SASL. to be nice with people using oldware, smtps should be supported as well.
Re: Anyone solely using SMTP Auth for outbound mail?
On 7/15/2011 3:15 PM, l...@airstreamcomm.net wrote: > To summarize, we think SMTP Auth is the simplest and most useful way to > allow people to send mail through our outbound mail system, and we are > hoping to get some feedback from the community regarding this perspective. If I understand your architecture correctly, doing this won't stop bot infected PCs from sending spam as that is almost always direct to MX. Preventing customers, at the router/firewall(s) from making direct outbound connection to remote TCP 25, and forcing them to relay through your auth server, is what stops the bot spam. For customers intentionally sending spam either newbies spamming from Outlook Express to customers with full up snowshoe servers, forcing SMTP AUTH may prove advantageous, for the reasons you stated. -- Stan
RE: Anyone solely using SMTP Auth for outbound mail?
> To summarize, we think SMTP Auth is the simplest and most useful way to > allow people to send mail through our outbound mail system, and we are > hoping to get some feedback from the community regarding this > perspective. Yes and No. for 99% of our client base, we use SMTP auth. We have a couple enterprise class customers that we relay for that have a very defined IP set, which we use an exception file for (as they have their own user/logins on their side). I could probably go 100% without any critical impact. We have/had some software in place that would collect stats on outgoing rates per login and throttle/disable the account if it exceeded a particular limit, which means simply disabling the SMTP AUTH for that single account. I'd recommend it myself.