Update to default exit policy

Dawney Smith dawneysmith at googlemail.com
Tue Aug 19 09:20:27 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dominik Schaefer wrote:

>> Those are ports used for mail submission, not for mail relay. They wont
>> be abused by spammers. ISPs often block their consumer broadband users
>> from connecting to port 25 on servers outside of their network, to
>> prevent spam. They don't block 465 and 587, because they're not problem
>> ports and the point of them is, that you authenticate before sending
>> mail, unlike port 25. You wouldn't block port 443 to prevent spammers
>> submitting mail via https://mail.google.com/ so why block these ports?
> Actually, it is a little more complicated. 465 is just plain
> SMTP-over-SSL, so not much different to non-encrypted SMTP on port 25.
> (BTW: AFAIR the recommened method for encrypting SMTP is to use port
> 25 with STARTTLS and not to use a different port, so connections to
> port 25 may be encrypted as well.)
>
> Concerning the submission port 587: Originally, the submission port
> needed neither to be encrypted, nor did it enforce authentication (see
> RfC 2476, http://www.faqs.org/rfcs/rfc2476.html).
> Authentication MAY be done before submitting mails.
> Only RfC 4409 (which obsoleted 2476) introduced a MUST for
> authentication of the sender, but is still quite recent (2006).
> AFAIR both RfC make no statement about the encryption of connections
> to port 587 for mail submission, although 3207 (STARTTLS) states it
> can be useful.

1.) Can anyone here show me a mail server that runs on port 587 or port
465 that doesn't require authentication to send email?

2.) Now can anyone here show me a mail server that runs on port 25 that
doesn't require authentication to send email?

I suspect the answer to 1 is either "no", or a list of a couple of
servers. I suspect the answer to number 2 is, yes, here's a list of a
few hundred thousand.

Lets be a little pragmatic here. After all, the exit policy in question
was done for purely pragmatic and not technical reasons. Opening ports
465 and 587 will *not* cause the spam problem that blocking them was
intending to prevent. The number of mailboxes that would be able to be
spammed through those two ports without authentication is
insignificantly small (I can't demonstrate one, can you?) Blocking those
two ports by default achieves nothing.

Dawn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIqpBbcoR2aV1igfIRAgWyAKCJ2cxNO2mO8PRvNMX7BKoyFnHClACeJtlp
ZoylC/edpaBNmJ3ooOfRgUs=
=QR4+
-----END PGP SIGNATURE-----



More information about the tor-talk mailing list