[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Update to default exit policy



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

xiando wrote:

>> I know this has been discussed before, but I thought I'd bring it up
>> again. The following rules are in the default exit policy and I can't
>> see any reason why they would be:
>>
>> reject *:465
>> reject *:587
> 
> Are you absolutely positivily sure that you can not misconfigure e-mail MTAs 
> who use smtps (465) and submission (587) to be open relays?

Of course people can misconfigure their mail servers.

> My understanding is from my quick search on this topic is that IF you setup an 
> open relay then that relay can be used regardless of the connection coming 
> through a SSL encrypted connection or a plain-text connection on port 25.

Well, yes, but that's not really relevant. The default exit policy of
blocking port 25 has nothing to do with stopping the abuse of open relays.

> Plain-text (25) or encrypted (465) has nothing to do with authentication, just 
> like you can visit many websites using http (80) and https (443) without 
> actually logging in.
> 
> I am not sure having them open by default would be a good thing.

Lets assume port the exit policy is updated, and the ports opened, and I
want to send a spam to a gmail user.

Tor prevents me making a direct connection to their MX on port 25 to
deliver the spam to them. That's the point of blocking 25 by default.
Open relays don't come into it.

Opening port 465 or 587 doesn't change that. The only way I could
"abuse" ports 465/587 through Tor was if I found a misconfigured open
relay running on those ports. If a misconfigured open relay sends a load
of spam, people block the open relay, and don't concern themselves with
the initiating IP. If an open relays sends a load of spam, it is the
admin's fault of that relay for not locking it down properly.

Abusing an open relay through Tor is no different to abusing a website
through Tor.

- --
Dawn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIpxhAcoR2aV1igfIRAtcUAKCcn9jo6ICFMy22Ku/nfGWn9FeFwwCggCS0
PbRcQbjcpSp3RPTanXcK+IU=
=XO7L
-----END PGP SIGNATURE-----