Re: Filtering at border routers: Is it possible?

Fri, 22 Mar 2019 20:53:52 -0700 

On 3/22/19 8:01 PM, Kevin A. McGrail wrote:
Noel, please.  The personal attacks aren't in keeping with our code of conduct.  Please don't email them to the list. 

+1

Let's keep things professional.


IMO and I believe the RFCs back me up, Port 25 should only be used for 
local recipients.  Port 587, submissions would be appropriate for 
submissions requiring other delivery methods and should be protected 
with SMTP AUTH, for example.  That would certainly be best practice, 
well supported and easy to add TLS to address.



I agree in spirit.  But I know that port 25 is used for a lot more than 
just local delivery.  Various forms of mail routing come to mind.  To 
the best of my knowledge, all the ESPs that offer ingress filtering 
receive email on port 25 and send it to clients private email servers on 
port 25 too.  Then there are scanning appliances that can be self hosted 
that do the same thing.



Getting back to the original question: Yes, you can scan outbound mail 
for spam and block it.  There are a number of ways to do that.  We also 
do a LOT with MIMEDefang, LDAP & IPTables, & Access files to extend the 
edge of the network to the board to avoid backscatter, DDoS attacks, 
etc.  I've published a lot of stuff about this before and happy to give 
pointers again.



Yes, it is possible to do.  But if the OP is running a co-location 
facility and offering connectivity for clients to host their own servers 
on the Internet, I think s/he should NOT be interfering with their SMTP 
flows.



But in short, setup an SMTP host that allows rely by IP from all your 
servers behind it and set those servers to use the SMTP host as a 
smarthost.  On the smarthost, you can use amavisd-new and drop/redir 
mail that is considered spam.  More complex solutions are available with 
alerting, rate limiting, etc.



I think this type of configuration is great when all of the server are 
under one company / administration.  I.e. enterprise, university, what 
have you.  But I don't think this is proper for a Co-Lo facility.



I am willing to accept a default block that has an easy process to 
remove the block.  Anything else and I'd take my business elsewhere.


If the OP is running a Co-Lo facility, I would advise SWIP and / or RWHOIS.



--
Grant. . . .
unix || die




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature

























					Reply via email to