[LINK] Question re spoofing with bad reply address

Hamish Moffatt hamish at cloud.net.au
Fri Jul 11 15:44:01 AEST 2014


On 11/07/14 15:35, Jeremy Visser wrote:
> On 11/07/14 14:27, Stephen Rothwell wrote:
>> Well, if for no other reason than that many ISPs insist that you use
>> their mail server for outgoing email
> Who does this?  I would invite you to name-and-shame them.
>
> But before you do so, check that you are sending outbound as port 587 (STARTTLS) or 465 (TLS).  It's common for providers to block port 25 due to rampant abuse, but as all port 587 or 465 based services are authenticated relays, there is no need to block this.
>
> I know of some ISPs (e.g. Telstra 3G) who block port 25, but that's not the end of the world given that ports 465 and 587 are meant to be used these days for SMTP submission anyway.
>
> (Blocking port 25 on Telstra 3G makes sense because it is a giant CGNAT network.  Think about it this way -- if they _allowed_ port 25, the CGNAT pool would constantly be listed/delisted from blacklists which would affect hundreds of customers at once.)
>
> As a network/systems admin at a small ISP, I personally hate running mail services.  I prefer layers 2-3...layer 7 can get stuffed.  :-)  While I provide an anonymous SMTP relay for customers who for some goddamn stupid reason insist on using one, I do nothing to encourage people to use it, and usually try to talk people out of it.
>
Why anonymous - can't you require them to STARTTLS+AUTH, even on port 25?

Optus blocks port 25 outbound too. Shrug; the customer IPs are listed in 
the dynamic IP blacklists anyway from memory. They don't block 465 or 
587 though.

Hamish



More information about the Link mailing list