Blocking port 25 has become popular, not only with
walled-garden connectivity services that are really scared of their
customers running their own servers (e.g. most cable modem companies),
but also with other ISPs that don't want to deal with the problems
of having customers who are spamming (whether deliberate or zombified.)
So anybody buying something lower-priced than a T1 typically needs to
have a mail client or mail transfer agent that can use other ports,
unless they want to trust their ISP's mail service or use webmail.
What proportion of an ISP's customers genuinely need the ability to talk
to external hosts on 25/tcp? I mean really? We're talking about home
users who can use their home ISP SMTP service and it'll meet their needs.
Agree that there should be a mechanism to opt out, but smart organisations
will offer alternative, authenticated services to address any requirement
for direct SMTP (except perhaps for situations where you actually intend
to run a mail server at home.)
In some sense, anything positive you an accomplish by blocking Port 25
you can also accomplish by leaving the port open and advertising the IP
address
on one of the dynamic / home broadband / etc. block lists,
which leaves recipients free to whitelist or blacklist your users.
And you can certainly provide better service to your customers by
redirecting Port 25 connections to an SMTP server that returns
"550 We block Port 25 - see www.example.net/faq/port25blocking"
or some similarly useful message as opposed to just dropping the packets.
I concur with the latter, but then again, if it's well publicised and
clear from the get-go that external pot 25 is not a service offered, it
should be no big deal.
I do disagree that advertising the IP on blocklists serves the same
purpose, because it pushes responsibility to a third party (ala ISP is
waving its hands in the air and saying 'it's not my problem, we're just a
means of access to the cloud', and suddenly third party outfits get a
whole bunch more clout than is necessary - and noise levels on the
internet go up and/or junk volumes go up.
(Wonder how much spam the port-25-blockers actually stop?)
Would seem easier and a whole bunch more flexible for ISPs to manage their
own turf, as it were, third party blocklists are a little on the ugly
side. (False Positives are very hard to get dealt with, from experience.)
I've toned down my vehemence about the blocking issue a bit -
there's enough zombieware out there that I don't object strongly to an ISP
that has it blocked by default but makes it easy for humans to enable.
Fair enough. I think there's probably agreement on this point, but I would
also make the point that the only legitimate reason to enable 25/tcp
outbound to external hosts should be to run a mail server. SMTP-Auth for
private use, for example, shouldn't be on 25.
Mark.
