Re: Finding a replacement for my ISP's smtp server
On Mon, 28 Jul 2014 18:16:23 +0100
Brian <ad44@cityscape.co.uk> wrote:
> On Mon 28 Jul 2014 at 10:34:03 -0400, Jerry Stuckle wrote:
>
> > On 7/28/2014 9:56 AM, Brian wrote:
> > >
> > > How does the server tell the difference between talking to another
> > > server (which is acting as client) and what you call a "client"?
> >
> > It doesn't, but operation is quite different. MTA's typically
> > require no login on port 25, but only allow messages to be sent to
> > domains it serves (otherwise it quickly becomes a spam server).
> > Port 587 requires a login, but allows messages to be relayed to any
> > domain.
>
> Would I be correct in thinking MTAs only talk to each other over port
> 25?
>
> Would I also be right that using port 587 mandates authentication
> whereas with port 25 it is optional?
>
> > Now, for historic reasons, some MTA's still allow login on port 25
> > (either directly or some indirect method like accessing a POP or
> > IMAP account before sending). But these are becoming fewer and
> > fewer.
>
> Port 25 then becomes used only for incoming messages to be sent to
> domains the server is responsible for? If so, that doesn't appear any
> different from the present situation. For relaying a login is
> perfectly understanable, but it can be done on port 25 too. What
> makes port 587 necessary?
Simply to provide a standard port on which authentication is expected
and used, leaving 25 for unauthenticated mail. An email sent to an
arbitrary address will be unauthenticated, because none of us have
authentication credentials for all the world's mail servers.
Unauthenticated mail will be delivered only *to* the domains the
receiving server is authoritative for, or relayed *to* anywhere, but
only *from* domains which are explicitly configured in the server. I
think the very basic Debian setup of exim4 allows the entry of such
permitted relaying domains, and certainly the full configuration file(s)
does so.
>
> All my mail from home is sent directly using exim which, as far as I
> can make out will only send on port 25. Leaving aside what you say
> below (my ISP does not block outgoing port 25 traffic) I should not
> be affected?
> > BTW, many ISP's have blocked outgoing port 25 connections
> > (especially on residential accounts) because there are a lot of
> > trojans out there which will install a minimal MTA on a user's
> > machine, unbeknownst to the user. This allows spammers to use the
> > compromised machine to be a spam source, hiding the real source of
> > the spam.
Almost as good is for ISPs to refuse to create proper PTR records for
domestic IP addresses. The vast majority of spam rejected by my server
comes from IP addresses which do not have a complementary PTR-A record
pair in public DNS, and this is a test which just about all SMTP servers
carry out on incoming mail. Virtually all the spam that does get
through comes from Google and Yahoo mail servers, and from 'business'
mail hosting accounts with random domain names set up purely for the
distribution of spam, which is presumably economic to do.
An effective further step is to accept email only for legitimate users
of the receiving domain, and not just <anyone>@domain.com. The large
majority of spam I see is sent to obviously made-up user names on my
domains, and my server would reject those connections if the DNS check
hadn't already done so. This is NDR spam, which relies on a SMTP server
accepting such mail, then the mail being refused by a subsequent
server or remaining uncollected by clients. The SMTP server which was
fooled now has to issue an NDR, sent to a forged sender address, now
coming from a fairly legitimate mail server and therefore being more
likely to be delivered to the real target, the forged sender address.
The NDR does, of course, contain the entire spam message. If all SMTP
servers accepted mail only for a set of named users, NDR spam could be
eliminated.
>
> So, in world where every ISP blocks outgoing port 25 connections the
> delivering of one's own mail becomes impossible. The flow of spam and
> malware across the net will continue to increase though, I suppose.
>
>
That's supposedly the main distinction between domestic and business
Internet accounts, that business accounts don't block ports and do
permit the use of public Internet servers such as SMTP servers. Most
domestic accounts explicitly forbid server operation. In many countries,
business accounts are expensive or unavailable, and even in the UK,
'business' accounts tend to cost a fair bit more.
But ultimately, whatever TCP port number is used, it is impossible to
distinguish a spammer from a legitimate sender of email. We can't tell
spammers not to use 587, nor that they aren't permitted to use the
hijacked computer's TLS credentials, if any. DNS tests are currently
more reliable than blocking ports, though I do know two small-ish
businesses in the UK who use third-party mail services with incorrectly
setup DNS. I've told them a couple of times, but there is evidently
nobody involved who knows what a PTR record is. There are not many
people at ISPs who do, either.
--
Joe
Reply to: