Hi all,
does none of you use to block port 25 outbound on mailservers ? The question is because it seems that some operators around us (at the moment Vodafone in Italy) does. We all know that this is possible if you allows outbound connections on port 587, but it requires a client reconfiguration. If you actually read RFC 2476 you will see the distinction made between "message transfer" (over port 25) and "message submission". (over port 587).
The actual problem is that a mobile customer cannot send out his e-mail from his ISP mailserver, but only from the mobile company one. If this will result true, it will be a strong limitation on the market.
May I have your opinion about ?
Cheers/Manfredo
Warinet Global Services SA
Si precisa che le informazioni contenute in questo messaggio sono riservate e ad uso esclusivo del destinatario. Qualora il presente messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo ed a non inoltrarlo a terzi, dandocene gentilmente comunicazione. Grazie.
You are hereby informed that this message contains confidential informations intended for the addressee's use only. If yu're not the addressee and have received this message by mistake, please delete it and immediately notify us. You may not copy or disseminate this message to anyone. Thank you.
On 2010-10-25 10:12, Manfredo Miserocchi wrote:
Hi all,
does none of you use to block port 25 outbound on mailservers ?
I assume you mean the access (DSL/Cable/modem) networks, hosting networks should never filter that stuff. And block is hopefully an ICMP Admin Reject.
The question is because it seems that some operators around us (at the moment Vodafone in Italy) does.
Swisscom apparently is sniffing all outbound port 25 traffic and scanning the content and then rejecting it based on that.
It is still unknown how to turn off the sniffing and just get a ICMP admin reject for that instead though.
We all know that this is possible if you allows outbound connections on port 587, but it requires a client reconfiguration. If you actually read RFC 2476 you will see the distinction made between "message transfer" (over port 25) and "message submission". (over port 587).
A mail user agent (MUA), like Thunderbird/Outlook/etc are MUA's and only do message submission from MUA to MTA.
A Mail Transfer Agent (MTA), like Postfix/Sendmail/etc are MTA's and do message transfer between MTAs.
MUA's should solely use 587 with authentication, and then IMAP/POP3 to fetch their email, of course SSL variants should be used there too.
MTA's can provide submission service over 587 and use port 25 (again with TLS :) for transfering bits.
The actual problem is that a mobile customer cannot send out his e-mail from his ISP mailserver, but only from the mobile company one.
Nonsense, just configure it to use port 587 and all is fine. Or do you run a full-fledged MTA on your mobile node!?
And indeed, MTA's can be configured too to do message submission over 587; generally they are in MUA mode then though where they don't receive inbound messages over SMTP and a tool like fetchmail is used in that case.
If this will result true, it will be a strong limitation on the market.
I do not see a 'strong limitation', your customer needs to configure their machine correctly and somebody needs to upgrade their mail clue.
Greets, Jeroen
-----Original Message----- From: Jeroen Massar jeroen@unfix.org To: mis@wari.net Cc: swinog@lists.swinog.ch Date: Mon, 25 Oct 2010 10:26:34 +0200 Subject: Re: [swinog] port 25 outbound
Jeroen,
The actual problem is that a mobile customer cannot send out his e-mail from his ISP mailserver, but only from the mobile company one.
Nonsense, just configure it to use port 587 and all is fine. Or do you run a full-fledged MTA on your mobile node!?
Agreed. Just to clarify that this is not an issue for our network. But we had a lot of italian people disappointed near us because they have standard-configured appliances that suddenly don't reach any more their ISP's mailservers. Common users coming from Apple stores with their new IPhone, cannot send out their e-mail from a day to another and they're not understanding why :D
Vodafone didn't tell them anything about reconfiguring the AUTH 587 port. So the image that draws out is that we are into a "dirty game", 'cause, apparently, is the ISP mailserver that is nor running :(
Cheers Manfredo
Si precisa che le informazioni contenute in questo messaggio sono riservate e ad uso esclusivo del destinatario. Qualora il presente messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo ed a non inoltrarlo a terzi, dandocene gentilmente comunicazione. Grazie.
You are hereby informed that this message contains confidential informations intended for the addressee's use only. If yu're not the addressee and have received this message by mistake, please delete it and immediately notify us. You may not copy or disseminate this message to anyone. Thank you.
On 2010-10-25 12:49, Manfredo Miserocchi wrote: [..
Agreed. Just to clarify that this is not an issue for our network. But we had a lot of italian people disappointed near us because they have standard-configured appliances that suddenly don't reach any more their ISP's mailservers. Common users coming from Apple stores with their new IPhone, cannot send out their e-mail from a day to another and they're not understanding why :D
Just one comment: Apple "Geniuses" should know better...
I thought people paid enough for those Apple toys so that they at least get configured properly...
Greets, Jeroen
Am 25.10.10 13:47, schrieb Jeroen Massar:
On 2010-10-25 12:49, Manfredo Miserocchi wrote:
users coming from Apple stores with their new IPhone, cannot send out their e-mail from a day to another and they're not understanding why :D
Just one comment: Apple "Geniuses" should know better...
Should, indeed. But they aren't the type of people who *know*...
I thought people paid enough for those Apple toys so that they at least get configured properly...
Should be easy enough to make a software try both ports and save the one which works. But since Apple (and all the other client-side-software-people) and even the access providers suddenly blocking Port 25 don't suffer the consequences of the things they do they don't feel like doing it properly.
Regards Peter
Salut
At 13:47 Uhr +0200 25.10.2010, Jeroen Massar wrote:
On 2010-10-25 12:49, Manfredo Miserocchi wrote: [..
Agreed. Just to clarify that this is not an issue for our network. But we had a lot of italian people disappointed near us because they have standard-configured appliances that suddenly don't reach any more their ISP's mailservers. Common users coming from Apple stores with their new IPhone, cannot send out their e-mail from a day to another and they're not understanding why :D
Just one comment: Apple "Geniuses" should know better...
maybe no Apple Genius was involved...
I thought people paid enough for those Apple toys so that they at least get configured properly...
if you let the iDevice sync mail accounts with your computer, it will take the same settings as the mail client on the computer has... So if the mail client on the computer is set to use an alternative SMTP port, it should work, if it's using port 25 you might run into trouble...
Andreas
Hoi,
On Mon, Oct 25, 2010 at 10:12 AM, Manfredo Miserocchi mis@wari.net wrote:
does none of you use to block port 25 outbound on mailservers ?
The ISP I used to work for was admittedly a business customer oriented one, but we had the corporate philosophy to offer unrestricted and open internet to all of our access customers. This means we fundamentally would not block any outbound ports.
The actual problem is that a mobile customer cannot send out his e-mail from his ISP mailserver, but only from the mobile company one. If this will result true, it will be a strong limitation on the market.
My counsel: chose another ISP and take your business to a place which does not chose the cheap way out (filter for all, ignore the collateral damage).
I believe the best possible choice is to offer by-default restricted (filtered inbound, outbound whatever seems reasonable for the ISP) but allow users to move to a different configuration which is unfiltered entirely. The ISP can detect bad behavior/infected machines (for example search for VIRBL) and force migration to a third (quarantine) pool, or if they don't want to do that, put the user in the restricted pool again.
groet, Pim
-
Andreas Rutishauser -
Jeroen Massar -
Manfredo Miserocchi -
Peter Guhl -
Pim van Pelt