[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Default Exit Policy
Nathaniel Dube(njdube@xxxxxxxxx)@Thu, May 22, 2008 at 11:59:28PM -0500:
> The only part of that I have in my config file is [accept *:*]. Is the rest
> some kind of defaults? I noticed one of the defaults is [reject *:587] which
> I'm wondering why that would be in the defaults. That ports is used for
> sending secure email. Port 25 I can understand but 587?! I use that port
> for gmail. I have two gmail accounts. One is this one which is tied to my
> real name. The other isn't and I use with Thunderbird and the torbutton
> addon. I've noticed that sometimes I can't send email and sometimes I can.
> It all depends on the current circuit. After seeing the defaults exit policy
> I can see why I've been having the issues with my email.
> The point of this email?! I wish to understand the rational of having the
> defaults block ports used for secure encrypted protocoles.
I ran into a problem with this somewhat recently.
I blew away the default reject list on my node and made a fairly lengthy
one in its place. As part of that, I allow 587, because it's supposed to
be authenticated, right? It turns out that a lot of sites out there treat
587 just like 25: optional authentication, optional encryption, maybe some
relaying, whatever. Thus, allowing 587 through Tor causes some
complaints. I've still got it open, but every time someone complains I
consider turning it off.
Interesting, there's no RFC standard that says that 587 will authenticate
or encrypt. The closest you will get is RFC 5068, a best practice, which
MSAs MUST perform authentication on the identity asserted during
all mail transactions on the SUBMISSION port, even for a message
having a RCPT TO address that would not cause the message to be
relayed outside of the local administrative domain.
None of the actual standards have a MUST for this.
I'd been meaning to email the list and ask if anyone else was having
problems relaying 587. So, anyone else? :)