Next message: Paul G: "Re: High volume WHOIS queries"
On Mon, Feb 28, 2005 at 05:13:35PM -0500, wrote:
> On Mon, 28 Feb 2005 16:54:23 EST, Nils Ketelsen said:
> > An interesting theory. What is the substantial difference? For
> > me the security implications of "allowing the user to bypass our
> > mailsystem on port 25" and ""allowing the user to bypass our mailsystem on
> > port 587" are not as obvious as they maybe are to you.
>
> The big difference is that if they connect on outbound 25, they're basically
> unauthenticated at the other end. Port 587 "should be" authenticated, which
> means that the machine making the connection out is presumably a legitimate
> user of the destination mail server.
Okay, the main difference seems to be:
1. People here trust, that mailservers on port 587 will have
better configurations than mailservers on port 25 have today. I
do not share this positive attitude.
2. Port 587 Mailservers only make sense, when other Providers block
port 25. My point is: If my ISP blocks any outgoing port, he is no longer
an ISP I will buy service from. Therefore I do not need a 587-Mailserver,
as I do not use any ISP with Port 25-Blocking for connecting my sites or
users.
> If you're managing a corporate network, then yes, the distinction isn't
> that obvious, as you're restricting your own users. If you're running an
> ISP, you're being paid to *connect* people to other places, and making it
> more difficult than necessary is.. well... a Randy Bush quote. ;)
I agree. Just as I said: If the ISP blocks (and I do not care which port
he blocks), then it's time to go and look for another ISP. If I buy
Internet I do not want a provider that decides for me which parts of it I
am allowed to use today and which I am not.
"Wehret den Anfaengen" is the german saying, I currently cannot find a
good translation for.
Nils
