Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Time to check the rate limits on your mail servers

  • From: Todd Vierling
  • Date: Thu Feb 03 14:39:10 2005

On Thu, 3 Feb 2005, Jason Frisvold wrote:

> > > prevents zombies from spamming.  Unfortunately, it also blocks
> > > legitimate users from being able to use SMTP AUTH on a remote server..
> >
> > There's a *reason* why RFC2476 specifies port 587....
>
> I assume you're referring to the ability to block port 25 if 587 is
> used for submission.  This is great in theory, but if this were the
> case, then the Trojan authors would merely alter their Trojan to use
> port 587.

If they authenticate.

Modulo a stupidity built-in to Sendmail (that Claus Assman ignorantly thinks
is a non-issue[*]), port 587 is not supposed to be used for endpoint MTA
delivery.  It's a mail SUBMISSION port, which is supposed to mean that J.
Random Client isn't supposed to use it for delivery purposes.

===

[*] As of now, Sendmail doesn't require one of SMTP AUTH auth by default on
    the MSA port; it treats 25 and 587 identically (so that things like
    IP-based relay auth work without need for SMTP AUTH).

    I sent a m4-only change to the Sendmail maintainers implementing a way
    to make 587 allow only relay-authorized clients to send anything at all
    by default -- whther IP-based relay auth, or SMTP AUTH, or any other
    method built in to the relay-check code path.  It was shot down by Claus
    because he simply doesn't understand the issue and doesn't think
    identical 25 and 587 ports is a threat.

-- 
-- Todd Vierling <tv@duh.org> <tv@pobox.com>




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.