Re: Why do so few mail providers support Port 587?

• Previous message: Jim Segrave: "Re: AOL scomp"
• Maybe in reply to: Nils Ketelsen: "Re: Why do so few mail providers support Port 587?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> Date: Mon, 28 Feb 2005 16:54:23 -0500
> From: Nils Ketelsen <>
> To:
> Subject: Re: Why do so few mail providers support Port 587?

> [ ... ]
> I do not know about your E-Mail Policy, but normally it is either
> allowed to use an external mailserver or not. If it is allowed, I
> can as well allow Port 25 outgoing. If it is not I will block 25 and
> 587.

Our corporate policy is that if you want to send mail with a
@ourdomain address, you have to use our mailserver. On that machine we
can rewrite usernames etc. But I have lots of users who also work at
other places - to give you a hint, many of my users are researchers
over here, but teachers at different places.

So it's *not* in my employers best interest to disallow them *any*
means of mailing with a @non-ourdomain address if that @non-ourdomain
site allows them to do so via some other means then port 25...

> > Port 587 on the other hand is meant for "submission" by clients. The
> > security implications of allowing my users to contact such a port are
> > very very low. If someone won't secure his mailserver on port 587,
> > that's something different, but substantially different than if it
> > were insecure on port 25...

> An interesting theory. What is the substantial difference? For
> me the security implications of "allowing the user to bypass our
> mailsystem on port 25" and ""allowing the user to bypass our mailsystem on
> port 587" are not as obvious as they maybe are to you.

Anything listening on port 587 - as has been said many times over in
this discussion - should not blindly relay. It should demand
authentication from the user and only when those are satisfactory
relay.

That was and is what port 587 is meant for. Port 25 has a much too
diverse role in the way mail delivery is handled. But you can
generally classify that it's used for inter-site communications and
intra-site submission. Port 587 is for submissium, intra-site and
extra-site.

Just because you only allow port 80 inbound to the machines which are
supposed to be running webservers doesn't mean you only allow outbound
port 80 traffic to those same machines ? You would allow outbound port
80 traffic to the whole world...

> Nils

Regards,
JP Velders

• Previous message: Jim Segrave: "Re: AOL scomp"
• Maybe in reply to: Nils Ketelsen: "Re: Why do so few mail providers support Port 587?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]