Author: Ian Eiloart Date: To: Wakko Warner, exim-users Subject: Re: [exim] SMTP vs Submission (port 25 vs 587)
--On 3 January 2007 15:34:24 -0500 Wakko Warner <wakko@???> wrote:
> I probably should give a little more detail of what is going on.
>
> We recently installed a hardware spam firewall which cut out some of our
> users. I simply stated to use 587 and authentication which met with
> resistance. The only reason that it was done was because they want the
> spam firewall.
>
> Most of our users are on the LAN which this cannot effect. However, for
> security, I wanted to force everyone to 587 so that any virus infections
> that use mail would pretty much be stopped before it spread at all (also
> blocking outbound port25 from the company).
Then this doesn't matter quite so much. You should block outbound port 25
anyway, but leave port 25 open when the destination is your mail server. If
your mail server is local, you don't need to worry about outbound port 25
at all, unless you have web applications that send email bypassing your
mail server.
If your staff EVER work at home, or go to conferences, or visit other
institutions, and expect to use email then they'll need to use port 587. If
your mail server is local, then you'll need to open inbound port 587. Or,
you could provide a webmail service.
Anyone local who also uses external mail servers (say, your staff's
personal email providers, or visitor's mail providers) will need to be able
to use port 587. It's possible that you don't allow staff to access
personal mail providers, and it's possible that you don't need to allow
visitors to access their email.
> See my comments below as well.
>
> I appreciate the mails I've received thus far.
>
> Marc Sherman wrote:
>> The two big reasons are:
>>
>> 1) Lots of ISPs block outgoing 25, so if you want to accept incoming
>> authenticated submission from remote users on arbitrary connections,
>> port 25 might not be adequate.
>
> Mostly doesn't matter as our users are internal. We have some users who
> are not internal to the network and mostly use VPN. The mail server
> actually has no idea the users are using VPN or not and I have port 25
> configured for RBL checking (shh about using auth bypass =)
>
> The VPN users will see port 25 regardless of the ISP's blocking (but has
> proved to have problems in the past)
>
>> 2) If MSA and MTA are on different ports, it's easier to set up
>> different configs for the two use cases. This reason only makes sense if
>> you want to restrict all submission to port 587, and only allow MTA
>> traffic on port 25.
>
> It does make it easier, but I'm doing the differentiating in 1 config. I
> could split the acls up so that one is called for MTA and one for MSA
> (which I have in the works)
>
> Peter Bowyer wrote:
>> If a standards-track RFC won't convince them, what level of
>> documentation are they looking for?
>
> Good question. Seems they'd rather see some article about doing this than
> the standards text.
>
> David Saez Padros wrote:
>> Using port 587 will allow mobile users to send messages even when his
>> ISP blocks port 25, which is each time more usual on dsl/cable
>> providers. Another useful thing is that you could reject connections
>> to port 25 from infected computers (i.e. using some blacklists) before
>> giving the chance to use smtp auth (for very fast rejection) and allow
>> your possible infected users to use your server at port 587 even if his
>> ip gets blacklisted.
>
> This is the point that I made at the top about internal users. I don't
> believe viruses (virii???) commonly use the user's MUA to spread or to
> send the junk mail if it's one of those zombies.