Re: [exim] automatically blacklisting clients that fail SMTP

Top Page
Delete this message
Reply to this message
Author: Ian Eiloart
Date:  
To: Bill Hayles
CC: <exim-users@exim.org>
Subject: Re: [exim] automatically blacklisting clients that fail SMTP

On 13 Jun 2011, at 16:13, Bill Hayles wrote:

> Hi, Ian
>
> On Mon, 13 Jun 2011 11:22:53 +0000 in message number <7D4D27D9-7411-4022-AD79-1BBF6FFB062F@???>, received here on 13/06/2011 15:48:46, Ian Eiloart <iane@???> said:
>>> That's true, but when an ISP blocks outbound port 25, two advantages are gained:
>
>>>
>>> 1. The ISP can spot, and deal with customers who are sending spam.
>
> They can (and should) do that anyway. I can only speak of my own experience
> with my own ISP (the much maligned, often unfairly, Telefonica de Espana).
> They do not block port 25 by default, but if you are found to be spamming,
> they block it. It is possible to get it unblocked (for example in the case
> of an error or Windows nasty) but they won't keep on doing it.


But the ISP doesn't know if mail you're sending on port 25 is in a domain that you're authorised to use. That's what port 587 is for - authenticated submissions.

> I run a mailing list for any computer related matters for English speakers
> in Spain; they tend to be the more computer literate; a couple have been
> blocked when their computer got infected (yes, I know it shouldn't, but
> these things happen). That's fine with my server, which they can access on
> port 587 (or even port 465) if they wish, but that's not universally true
> for all servers.


All the major email service providers do provide port 587. It's been recommended for 14 years now. It's well supported by mail clients. There's no common reason to permit outbound port 25, though some edge cases may exist.

>>
>>> (2) The ISP prevents their customer from running any kind of mail server
>>> (which is why I use an ISP that explicitly allows it)
>>
>> That's a real benefit, given that most mail servers are spambots.
>
> In which case the ISP does block port 25 for the specific client (and closes
> the account,) which is what my own ISP does as I said. But port 25 is open
> unless and until you offend.
>
> It's an "innocent until proven guilty" scenario.


Not good enough these days, given that 95% of mail traffic is spam.

>> If you have a need to run your own mail server, then you should have special
>> arrangements with your ISP.
>
> I don't disagree with that. My contract with Telefonica expressly allows me
> to do just that (and run a web server) for non commercial purposes. It's
> not a "special arrangement", just an account option they offer.
>
>
>> Responsible ISPs will close port 25 by default,
>> and probably only open it for business account holders with specific
>> requirements. It would be nice if the IP address owner could publish a sort
>> of reverse SPF policy, saying which domains are permitted to use the IP
>> address.
>
> I have read and re-read that, and I'm still not sure I'm reading it right.
> Could you explain it further (and, yes, I do know what SPF records are).


SPF lets a domain owner say which IP addresses their email is expected to originate from. It might be nice to also allow IP address owners to specify which domains are expected to originate from their IP addresses. For example, an ISP might permit a small company to use port 25, but publish a set of DNS records that let the world know that the email originating from those IP addresses is going to (mostly) use a particular set of sender domains. I don't know whether that's easily achievable technically, but it would be nice to be able to check with the IP address owner as well as the domain owner.

> --
> This is Spain. We do things differently here!
>
> Bill Hayles
> billnot@???
>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/


--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148