We have a blend of Option 2... All outgoing Port 25 is blocked except for our mail server, relaying is allowed by authenticated using the users primary account info (username/password) ON OUR NETWORK ONLY. Postini is used to filter outbound messages to spam server issues... All inbound to the network on 25 is blocked... Users can use webmail if they need access off our network.
This is for residential customers only... Business customers we use firewall rules (at the premise) to route all mail traffic through our Postini servers... We being a cable provider with a bit under 400k users... On Wed, Nov 18, 2009 at 2:29 PM, Chuck Hogg <ch...@shelbybb.com> wrote: > Ok, so we are passing back and forth negatives/positives of our current > SMTP policy, and are looking for answers on what others are doing. I'm > going to list what we have done, currently doing, and looking for > feedback on what you do... > > > > Option 1. > > Block all outgoing port 25 with the exception of your own mail server. > Allow for relaying of all email originating from your network. You are > now open to viruses that spam on your network, getting you listed as a > spam server. > > > > Option 2. > > Block all outgoing port 25 with the exception of your own mail server, > require authentication to send email from your server, using the same > authentication that is being done with POP3/IMAP. This works fine, > users authenticate, however dictionary attacks leave you open to > spammers taking control of a user account and using you to spam. > > > > Option 3. > > Block all outgoing port 25 with the exception of your own mail server, > require authentication to send email from your server, using the same > authentication that is being done with POP3/IMAP. Require all users who > authenticate to only email using the authenticated email address. This > works fine, users authenticate, prevents dictionary attacks because now > the spammer has to identify themselves as the email address for the > account they are using, and can't use a simple username as "joe", > meaning user joe has to send as j...@shelbybb.com and know the > j...@shelbybb.com is the full email account. We host multiple domains, > so j...@shelbywireless.com works but not j...@shelbybb.com for example. > This however also effects people who have outside email accounts as they > can no longer send email using that outside account. My response here > is that a large amount of hosts use port 587 as the alternate mail > server, and for us that is an acceptable work around that our users will > have to do. This is what we currently do. > > > > Option 4. > > Leave Port 25 open setup a rule in the firewall to monitor amount of > messages going through and add to address list when they breach the > threshold. > > > > > > Regards, > > Chuck Hogg > > Shelby Broadband > 502-722-9292 > ch...@shelbybb.com <mailto:ch...@shelbybb.com> > > http://www.shelbybb.com <http://www.shelbybb.com> > > > > > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > > -------------------------------------------------------------------------------- > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > > -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
