[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Default Exit Policy

Nathaniel Dube(njdube@xxxxxxxxx)@Thu, May 22, 2008 at 11:59:28PM -0500:
> The only part of that I have in my config file is [accept *:*].  Is the rest 
> some kind of defaults?  I noticed one of the defaults is [reject *:587] which 
> I'm wondering why that would be in the defaults.  That ports is used for 
> sending secure email.  Port 25 I can understand but 587?!  I use that port 
> for gmail.  I have two gmail accounts.  One is this one which is tied to my 
> real name.  The other isn't and I use with Thunderbird and the torbutton 
> addon.  I've noticed that sometimes I can't send email and sometimes I can.  
> It all depends on the current circuit.  After seeing the defaults exit policy 
> I can see why I've been having the issues with my email.
> The point of this email?!  I wish to understand the rational of having the 
> defaults block ports used for secure encrypted protocoles.

I ran into a problem with this somewhat recently.

I blew away the default reject list on my node and made a fairly lengthy
one in its place.  As part of that, I allow 587, because it's supposed to
be authenticated, right?  It turns out that a lot of sites out there treat
587 just like 25: optional authentication, optional encryption, maybe some
relaying, whatever.  Thus, allowing 587 through Tor causes some
complaints.  I've still got it open, but every time someone complains I
consider turning it off.

Interesting, there's no RFC standard that says that 587 will authenticate
or encrypt.  The closest you will get is RFC 5068, a best practice, which

     Submission Authentication:

         MSAs MUST perform authentication on the identity asserted during
         all mail transactions on the SUBMISSION port, even for a message
         having a RCPT TO address that would not cause the message to be
         relayed outside of the local administrative domain.

None of the actual standards have a MUST for this.

I'd been meaning to email the list and ask if anyone else was having
problems relaying 587.  So, anyone else? :)

Bill Weiss