> On Sun, 9 Aug 2009, Res wrote: >> .... if I'm in charge of the network for say this countries 5th largest >> ISP, why SHOULD I allow customers of say our countries largest, or 25th >> largest relay their mail via my systems...
On 10.08.09 11:07, Charles Gregory wrote: > IMNSHO You shouldn't. You should only allow *your* customers with pop > e-mail accounts on *your* servers to send mail. Of course, if they have > mail on your system, but have a connection to the net through a 'largest' > ISP, then naturally, everything flows more smoothly if they use their > provider's smtp server. 1. If more customers send spam from the same IP address without authentiaction, you only can disable them all, not only the one who really spams. If an user (accidentally) gets a spamming engine on computer he does not use for sending spam, you will get spammed even if user does not notice nor configure anything. These are the reasons for requiring SMTP authentication. 2. If a customer uses your mailboxes, it is your customer no matter where he connects from. If a customer with a notebook, PDA or whatevet connects through different company, he should not be required to change SMTP server. If a customer is hosted on your servers and you or he use SPF to (hopefully) ensure that only he sends mail from his e-mali address, he _MUST_ use your servers since other ISP _can not_ verify the address validity and ownership. These are the reasons for providing authenticated SMTP. Requiring of changing SMTP servers with changed connection is anything but _not_ smooth operations. And if you insist on providing e-mail services to any broken computer in you IP range, instead of supporting your customers roaming elsewhere, yes, it's sad and stupid. I do not care if that's common in Australia or wherever for 20 years or so. It's broken design and brings you much more problems you will have to cope with, when anyone starts spamming through your servers. > To be truthful, I have been doing this by default here, as well, but find > that it creates some problems for some users. So I am thinking about > opening up SMTP-AUTH ports. Trouble is (and its semi-relevance to this > list) I have to wonder if I am opening myself up to a significant risk of > having one of my user's passwords hijacked and used to send spam? Do they have IMAP or POP3 access without passwords? You can still provide TLS or SSL (outlook supports TLS only on port 25, otherwise it requires SSL, port 465 is often user for this) > Will I be just opening up opportunities for spammers to use my server > with stolen passwords, or is this a relatively rare occurence? Relatively rare. We have much more users spamming directly from IP addresses we haven't started requiring authentication from (the time is near, just prepare some changes and we'll announce the policy change) than those spamming through authenticated SMTP. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Two words: Windows survives." - Craig Mundie, Microsoft senior strategist "So does syphillis. Good thing we have penicillin." - Matthew Alton
