nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Time to check the rate limits on your mail servers

From: Todd Vierling <tv () duh org>
Date: Thu, 3 Feb 2005 14:36:30 -0500 (EST)

On Thu, 3 Feb 2005, Jason Frisvold wrote:


prevents zombies from spamming.  Unfortunately, it also blocks
legitimate users from being able to use SMTP AUTH on a remote server..


There's a *reason* why RFC2476 specifies port 587....


I assume you're referring to the ability to block port 25 if 587 is
used for submission.  This is great in theory, but if this were the
case, then the Trojan authors would merely alter their Trojan to use
port 587.


If they authenticate.

Modulo a stupidity built-in to Sendmail (that Claus Assman ignorantly thinks
is a non-issue[*]), port 587 is not supposed to be used for endpoint MTA
delivery.  It's a mail SUBMISSION port, which is supposed to mean that J.
Random Client isn't supposed to use it for delivery purposes.

===

[*] As of now, Sendmail doesn't require one of SMTP AUTH auth by default on
    the MSA port; it treats 25 and 587 identically (so that things like
    IP-based relay auth work without need for SMTP AUTH).

    I sent a m4-only change to the Sendmail maintainers implementing a way
    to make 587 allow only relay-authorized clients to send anything at all
    by default -- whther IP-based relay auth, or SMTP AUTH, or any other
    method built in to the relay-check code path.  It was shot down by Claus
    because he simply doesn't understand the issue and doesn't think
    identical 25 and 587 ports is a threat.

-- 
-- Todd Vierling <tv () duh org> <tv () pobox com>
Previous By Date Next
Previous By Thread Next

Current thread: