Author: Wakko Warner Date: To: exim-users Subject: Re: [exim] SMTP vs Submission (port 25 vs 587)
I probably should give a little more detail of what is going on.
We recently installed a hardware spam firewall which cut out some of our
users. I simply stated to use 587 and authentication which met with
resistance. The only reason that it was done was because they want the
spam firewall.
Most of our users are on the LAN which this cannot effect. However, for
security, I wanted to force everyone to 587 so that any virus infections
that use mail would pretty much be stopped before it spread at all (also
blocking outbound port25 from the company).
See my comments below as well.
I appreciate the mails I've received thus far.
Marc Sherman wrote: > The two big reasons are:
>
> 1) Lots of ISPs block outgoing 25, so if you want to accept incoming
> authenticated submission from remote users on arbitrary connections,
> port 25 might not be adequate.
Mostly doesn't matter as our users are internal. We have some users who are
not internal to the network and mostly use VPN. The mail server actually
has no idea the users are using VPN or not and I have port 25 configured for
RBL checking (shh about using auth bypass =)
The VPN users will see port 25 regardless of the ISP's blocking (but has
proved to have problems in the past)
> 2) If MSA and MTA are on different ports, it's easier to set up
> different configs for the two use cases. This reason only makes sense if
> you want to restrict all submission to port 587, and only allow MTA
> traffic on port 25.
It does make it easier, but I'm doing the differentiating in 1 config. I
could split the acls up so that one is called for MTA and one for MSA (which
I have in the works)
Peter Bowyer wrote: > If a standards-track RFC won't convince them, what level of
> documentation are they looking for?
Good question. Seems they'd rather see some article about doing this than
the standards text.
David Saez Padros wrote: > Using port 587 will allow mobile users to send messages even when his
> ISP blocks port 25, which is each time more usual on dsl/cable
> providers. Another useful thing is that you could reject connections
> to port 25 from infected computers (i.e. using some blacklists) before
> giving the chance to use smtp auth (for very fast rejection) and allow
> your possible infected users to use your server at port 587 even if his
> ip gets blacklisted.
This is the point that I made at the top about internal users. I don't
believe viruses (virii???) commonly use the user's MUA to spread or to send
the junk mail if it's one of those zombies.