On 10/25/2011 11:17 AM, Owen DeLong wrote:
But that applies to port 25 also, so, I'm not understanding the difference.
Other people running open port 587s tends to be quite self-correcting.
At this point, so do open port 25s.
The differences is in intentions from the user. All SMTP servers are
supposed to accept incoming email to their domain on port 25, if they
get a connection from a random IP they can check spf, dkim and dns
blacklists but that's all they can do to see the reputation of the
sender. Blocking port 25 is an ISP based list of who is allowed to send
SMTP.
Port 587 is supposed to only be used for MUA-MTA communications. If
mx.hello.com gets a 587 connection from anyone and they say "mail from:
<anyone other than hello.com>" the server can drop that as wrong.
Yes it's nasty and dumb, but it works better than spf, DKIM and other
technology right now. Maybe spf could be extended into reverse zones
and who they're permitted to send mail for (too many ISP's don't let
even business users update reverse records), maybe spf or a protocol
like it will become required in the future so you know who can be
trusted when they connect, or reputation or greylisting will take off,
except for having to store reputation about all IP's and all /64s so the
database isn't easily maintained. I think spf with dkim (with caveats
worked out) would be the best solution but anything that requires a flag
day with SMTP basically isn't gonna happen.
Owen
Robert
