[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Update to default exit policy
- To: or-talk@xxxxxxxxxxxxx
- Subject: Re: Update to default exit policy
- From: Dawney Smith <dawneysmith@xxxxxxxxxxxxxx>
- Date: Tue, 19 Aug 2008 10:20:27 +0100
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-talk-outgoing@xxxxxxxx
- Delivered-to: or-talk@xxxxxxxx
- Delivery-date: Tue, 19 Aug 2008 05:20:57 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=HaVjKsNNoJyrUB1Kh1ZGx+FuEdwsum9p+KwqZmYncEo=; b=Wel16vS3vuu7POxCM6KgcJfswVdIlz5xAhAxdYnGE4HfbHkpBcrotqbyMY/Ot5jQqu vUf0iMNU9PTCMSZTP3nm6+OdCwKxkqB4LWZPx0clYSuEovOuzfebtMVCfJh63Z/99RCP 2XD6CR4l0NH6qaomSygcN3giKElFxY7BMm1z8=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=m23kG5Rvi8IHqgCW80onu8BLCwLky4X9HZwyHLL4YjVR+Ghvwi5Y8oSPO+JkmM6Eqe LO1KSH2fgri4UWjGz/hyV9PCDJUCglH9bmRU1WML7PHF1yLDkISaOQFawWKht8miQiyT II+lIvaLyyAvcHVbUolPbWWN3Wp3Zi4ZBs/FY=
- In-reply-to: <48A8438A.3030307@xxxxxx>
- Openpgp: id=5D6281F2
- References: <48A6DD45.1040509@xxxxxxxxxxxxxx> <48A8438A.3030307@xxxxxx>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
- User-agent: Thunderbird 2.0.0.16 (X11/20080724)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dominik Schaefer wrote:
>> Those are ports used for mail submission, not for mail relay. They wont
>> be abused by spammers. ISPs often block their consumer broadband users
>> from connecting to port 25 on servers outside of their network, to
>> prevent spam. They don't block 465 and 587, because they're not problem
>> ports and the point of them is, that you authenticate before sending
>> mail, unlike port 25. You wouldn't block port 443 to prevent spammers
>> submitting mail via https://mail.google.com/ so why block these ports?
> Actually, it is a little more complicated. 465 is just plain
> SMTP-over-SSL, so not much different to non-encrypted SMTP on port 25.
> (BTW: AFAIR the recommened method for encrypting SMTP is to use port
> 25 with STARTTLS and not to use a different port, so connections to
> port 25 may be encrypted as well.)
>
> Concerning the submission port 587: Originally, the submission port
> needed neither to be encrypted, nor did it enforce authentication (see
> RfC 2476, http://www.faqs.org/rfcs/rfc2476.html).
> Authentication MAY be done before submitting mails.
> Only RfC 4409 (which obsoleted 2476) introduced a MUST for
> authentication of the sender, but is still quite recent (2006).
> AFAIR both RfC make no statement about the encryption of connections
> to port 587 for mail submission, although 3207 (STARTTLS) states it
> can be useful.
1.) Can anyone here show me a mail server that runs on port 587 or port
465 that doesn't require authentication to send email?
2.) Now can anyone here show me a mail server that runs on port 25 that
doesn't require authentication to send email?
I suspect the answer to 1 is either "no", or a list of a couple of
servers. I suspect the answer to number 2 is, yes, here's a list of a
few hundred thousand.
Lets be a little pragmatic here. After all, the exit policy in question
was done for purely pragmatic and not technical reasons. Opening ports
465 and 587 will *not* cause the spam problem that blocking them was
intending to prevent. The number of mailboxes that would be able to be
spammed through those two ports without authentication is
insignificantly small (I can't demonstrate one, can you?) Blocking those
two ports by default achieves nothing.
Dawn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIqpBbcoR2aV1igfIRAgWyAKCJ2cxNO2mO8PRvNMX7BKoyFnHClACeJtlp
ZoylC/edpaBNmJ3ooOfRgUs=
=QR4+
-----END PGP SIGNATURE-----