spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ted Mittelstaedt <>
Subject Re: SA on outgoing SMTP
Date Tue, 16 Feb 2010 21:57:25 GMT
It is standard practice in the ISP industry to block outgoing port
25 nowadays on dynamically assigned addresses.

This is not a barrier to your customers using another mailserver
(google, gmail, etc.) because all of those businesses support
Auth-SMTP on the submission port 587.  In fact, nowadays most
require it.

This is only a barrier to your customers who want to operate their
own mailservers.

Since those customers should have static IP addresses, if your
network has any reasonable organization you have a subnet set aside
for static IP addresses, one for dynamics, etc.  You don't block the
statics when your doing this.

If your unwilling to block your dynamics from outbound SMTP then
it is perfectly legitimate for the rest of the Internet to block
you from sending them mail.  This is equivalent to somebody being
told that a home they own is being used by drug dealers to cook
methamphetamines, and the homeowner saying "I can hardly imagine to 
manage the policies of all my renters, and I know they would really 
don't like it", then the community getting together and firebombing
the home one night.


Alexandre Chapellon wrote:
> I am an ISP with over 50000 users (wich is not that big for an isp)
> permannently connected.
> I can hardly imagine to manage the poilicies of all my customer, and I
> know they would really don't like it.
> What if your ISP told you what you got to do, where to go and to forget
> about your buggy OS your using for years?
> But mostly I agree, a clean network should be the basis.
> Le mardi 16 février 2010 à 12:40 -0800, Ted Mittelstaedt a écrit :
>> I know your not going to want to hear this because your looking
>> for a quick fix, but nothing substitutes for good network design.
>> Your buggy customer network should enforce the following:
>> Direct SMTP transmission (port 25) is filtered so that only
>> machines designated as mailservers are allowed to send outbound
>> mail to port 25, everyone else must use the submission port 587 with
>> SMTP authentication to send mail to one of your mailservers, which
>> then relays this to the rest of the world.
>> I know you don't have this now.  But, you should be enforcing it
>> on new customers and you should adjust all of your self-help
>> documentation so that as customers discard PC's and set new ones
>> up, that they start using auth-SMTP on the submission port.
>> It will take a few years.  And for some time you will wonder why
>> your bothering since it will seem like your only doing all of the
>> extra work of maintaining auth-smtp for a minority of customer.
>> But the day will come that you will realize the majority of your
>> customers are using smtp-auth.  And every day after that the
>> number of clients sending mail directly to port 25 will continue
>> to dwindle and you will become more and more interested in just
>> chopping the minority off and letting them scream.
>> Ted
>> Alexandre Chapellon wrote:
>>> Hello the list,
>>> I have a quite buggy customer network, full of zombie PCs that spends
>>> all days sending spam and wasting the whole "reputation" of my networks.
>>> As a result it sometimes become quite hard to delivers queues for
>>> specific domains such as Yahoo!'s hosted ones. Indeed they have some
>>> temp fail (blacklist) mechanism that forbid my servers to send messages
>>> to them during hours.
>>> Taht's why I would like to setup some ougoing filtering to avoid sending
>>> too much spam through my mail relays. I think SA can help me in doing
>>> so, but I know too it's not really intented to work this way. I guess SA
>>> expects to work on MX hosts more than on smtp relays.
>>> My prerequisites are mainly:
>>>     - STOP as much spam as possible at SMTP time (before queuing)
>>>     - Have NO (or very few) false positives cause I could not manage
>>> telling thousands of users that they should *always_have_a_subject*,
>>> *shouldn't_write_the_subject_in_CAPS* or anything else.
>>> Further more I can't rely on RBL because a lot of my dyn IP address are
>>> regularily listed on different blacklist.
>>> Does anyone have already setup something like that and what specific
>>> config/tools/plugin could be usefull for me.
>>> If some one already done it.... does he/she have any statistics about
>>> the efficiency of this setup.
>>> Best regards.

View raw message