Re: [Exim] Re: stmp protocol violation, synchronization erro…

Pàgina inicial
Delete this message
Reply to this message
Autor: Jethro R Binks
Data:  
A: exim-users
Assumpte: Re: [Exim] Re: stmp protocol violation, synchronization error,
On Tue, 16 Mar 2004, Tor Slettnes wrote:

> For ISPs to be blocking outbound traffic on port 25 ...


> I'm going to repeat the fact that it would be impossible to use _any_
> MTA other than the one provided by the ISP to send out your mail. I
> could not, as I do now, relay mail from my (semi-)dynamic IP address at
> home via my co-hosted machine at a different service provider. This is
> in exact contradiction to your other statement, where you said that
> people who wanted to run their own servers should obtain business-class
> service (unless you also want to institutionalize monopoly by saying
> that the only one who should be able to offer you such business-class
> service is the same ISP that provides your internet connectivity, i.e.
> your broadband provider).


This is exactly one of the reasons that the Message Submission (RFC 2476)
was proposed.

End-clients should send their mail to the submission port of whatever
"ISP" is providing their mail service. This is not port 25 but is
typically 587. ISPs don't block the MSA port.

It is required that this submission port be "authenticated" in some way -
that is, it only accepts mail from "known" people, whether they are
identified by IP address, by authentication credentials, by
POP-before-SMTP or whatever.

If implemented widely, and port 25 blocked widely, then virtual all mail
passing into the Internet would have an authenticated source. Now of
course there will always be rogue ISPs that don't implement properly, and
don't respond to abuse complaints, but that's what DNSBLs and the like are
for.

Other than all that, why block port 25 outgoing, and not anything else?
Because email is virtually the only "push" internet transport, where one
can foist crap, pretty much without limit, _directly_ to anyone whose
email address you know or guess, without their consent, and without any
kind of sender authentication. This makes it rather different from any
other Internet traffic (Usenet is kinda similar, but isn't targetted at
specific people).

I think there is a market for a new breed of ISP (or would be if these
issues were more widely known); that implement a proper authenticated MSA,
decent SMTP service, and will handle complaints properly. Does anyone
provide such a service, independently to clients who don't also have a
connectivity agreement with them? If I were wanting to run a home
service, I would be looking for this sort of reputable function-specific
ISP to relay my mail through, precisely to avoid the problem of
having an 'end user' ADSL, and possibly dynamic, IP address being listed
in a DNSBL.

I don't disagree with your reasons for running a home mail server
(spam/malware reception control, stable address). I don't
have a problem with inbound port 25 access for such people. It is how
their outbound mail appears on the Internet that I have concerns about.

> There are certainly RBLs out there (e.g. dnsbl.sorbs.net) that list
> "dynamically allocated" IP addresses (mostly as provided by various
> ISPs). If you want to use it, and are aware of the general problems
> associated with DNS-based blocking, then more power to you.


It is probably only through widespread use of these sorts of DNSBLs that
there is much chance of forcing a change in the way that mail submissions
into the Internet works.

SORBS and the like do of course have their problems, and there are to a
large extent reliant on input from users and ISPs. I have seen recent
cases where an /11 was listed in SORBS, but chunks of that were allocated
to DSL-based companies, and they were the proper assignees according to
WHOIS. It is really a matter for the ISPs and the community to make sure
that the correct blocks are listed in the DNSBLs, and that
fixed-but-still-DSL allocations are denoted differently from the dynamic
end-user ranges, where you don't know from one day to the next who will be
using an address and relying on an ISP to make that association in the
course of investigating a complaint.

> >>> All ISP's should block port 25 traffic unless you are paying for a
> >>> business class service, in which, you should not be on a dynamic
> >>> type of IP, but have some statics, that can be properly mapped
> >>> through DNS.
>
> Clearly, this would be a Bad Thing(tm).


Not given a proper widespread implementation of Message Submissions
servers.

Jethro.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK