You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Bruno Carvalho <br...@xervers.pt> on 2019/03/22 16:59:56 UTC
Filtering at border routers: Is it possible?
Hello Folks.
I've just joined this list, i didn't read all rules yet (just some), so
bare with me if my question is misplaced.
I own a small datacenter with 4 uplinks. And i received complains that
some of my clients are using my services for sending spam.
I wanted to know if it is possible to setup spamassassin on a VPS or
someting and have the port 25 redirected to it from border routers.
Important note: I don't know what domains are hosted inside my network.
What i know is that 98% of the spam sent is using port 25.
So, if someone knows a way to filter the mail traffic and block outbound
spam, i will be thankfull.
Regards
--
Bruno Carvalho (CEO xervers) | +41 79 884 00 44
P Please consider the environment before printing this email [1]
[2] [3]
Links:
------
[1] https://www.xervers.pt
[2] https://www.facebook.com/xervers/
[3] https://twitter.com/xervers
Re: Filtering at border routers: Is it possible?
Posted by "@lbutlr" <kr...@kreme.com>.
On 22 Mar 2019, at 13:00, Matt V <zv...@gmail.com> wrote:
> <body text="#000000" bgcolor="#FFFFFF">
WHY⁉️
Don't do this, it is just hostile.
--
The Force can have a strong influence on a weak mind.
Re: Filtering at border routers: Is it possible?
Posted by Matt V <zv...@gmail.com>.
M3AAWG has a BCP for hosting providers, you might find some valuable
ideas within it on how to address your issues:
https://www.m3aawg.org/sites/default/files/document/M3AAWG_Hosting_Abuse_BCPs-2015-03.pdf
Cheers,
Matt
On 2019-03-22 12:59 p.m., Bruno Carvalho wrote:
>
> Hello Folks.
>
> I've just joined this list, i didn't read all rules yet (just some),
> so bare with me if my question is misplaced.
>
> I own a small datacenter with 4 uplinks. And i received complains that
> some of my clients are using my services for sending spam.
> I wanted to know if it is possible to setup spamassassin on a VPS or
> someting and have the port 25 redirected to it from border routers.
>
> Important note: I don't know what domains are hosted inside my network.
>
> What i know is that 98% of the spam sent is using port 25.
>
> So, if someone knows a way to filter the mail traffic and block
> outbound spam, i will be thankfull.
>
> Regards
>
> --
> XRV
>
> Bruno Carvalho (CEO xervers) | +41 79 884 00 44
> P Please consider the environment before printing this email
>
> Visit our website <https://www.xervers.pt>
> Facebook <https://www.facebook.com/xervers/>Twitter
> <https://twitter.com/xervers>
>
--
~
MATT VERNHOUT
Re: Filtering at border routers: Is it possible?
Posted by "@lbutlr" <kr...@kreme.com>.
On 22 Mar 2019, at 10:59, Bruno Carvalho <br...@xervers.pt> wrote:
> So, if someone knows a way to filter the mail traffic and block outbound spam, i will be thankfull.
tl;dr this is not a problem for SpamAssassin to fix.
All outbound mail from anyone in your datacenter running a mail server will have to go out on port 25. If you are having spam problems you should be able to track exactly who is doing that and shut them down. Trying to filter out spam is not the solution as spam filtering is not perfect.
Don't host spammers.
If your datacenter is setup so that you cannot track the spammers down and kick them off, then you have far more serious problems.
Or, block port 25 outbound.
--
I used to work in a fire hydrant factory. You couldn't park anywhere near the place.
Re: Filtering at border routers: Is it possible?
Posted by Grant Taylor <gt...@tnetconsulting.net>.
On 3/22/19 10:59 AM, Bruno Carvalho wrote:
> Hello Folks.
Hi,
> I've just joined this list, i didn't read all rules yet (just some), so
> bare with me if my question is misplaced.
Welcome.
> I own a small datacenter with 4 uplinks. And i received complains that
> some of my clients are using my services for sending spam.
If I were you, I would ask for more details and / or examples of said spam.
> I wanted to know if it is possible to setup spamassassin on a VPS or
> someting and have the port 25 redirected to it from border routers.
No, yes, and no you shouldn't.
No, SpamAssassin by itself can't receive SMTP traffic.
Yes, you can set something up to receive the (redirected) SMTP traffic,
send it through SpamAssassin, and send clean email out to the world.
(IMHO) No, you should not do this. - If I were a (COLO) customer of
yours and implemented a policy like this, I'd be quite hot under the
collar and looking to move my services ASAP. - Communications between
you and your customers can help this.
> Important note: I don't know what domains are hosted inside my network.
Depending on what your service is, this may be okay, or this may be a
Bad Thing™. IMHO it's okay if a COLO doesn't know the domains that are
hosted by it's customers. I think it's a Bad Thing™ if they are your
own servers for your own business and you don't know what domains you host.
> What i know is that 98% of the spam sent is using port 25.
I'm somewhat surprised it's not higher. I say this because by
standards, MTAs receive email on TCP port 25. So I'd be surprised if
there is anything measurable coming in over something other than port 25.
> So, if someone knows a way to filter the mail traffic and block outbound
> spam, i will be thankfull.
I question if it's your responsibility to filter the traffic. Instead,
I think you should get information about your internal IPs from the
people reporting the spam and deal with this as a COLO customer that is
perpetuating abusive activity and deal with it accordingly.
If you really have no idea what IPs are sending SMTP traffic, I would
highly recommend something like NetFlow so that you can get information
about the IPs that are sending SMTP traffic in your network.
--
Grant. . . .
unix || die
Re: Filtering at border routers: Is it possible?
Posted by "@lbutlr" <kr...@kreme.com>.
On 23 Mar 2019, at 23:06, RALPH HAUSER <be...@aol.com> wrote:
> STOP EMAILING ME! TAKE ME OFF OF THIS!
No.
You are the only person who can unsubscribe yourself from the list.
In the headers of *EVERY SINGLE* message there are these lines.
list-help: <ma...@spamassassin.apache.org>
list-unsubscribe: <ma...@spamassassin.apache.org>
List-Post: <ma...@spamassassin.apache.org>
List-Id: <users.spamassassin.apache.org>
Well-designed mail clients will use these headers to allow you to easily (usually with a single tap or click) unsubscribe from the list.
Also, when you SUBSCRIBED to the list, you were given instructions on how to unsubscribe.
So, help yourself instead of whining for someone else to take car of you.
--
We all need help with our feelings. Otherwise, we bottle them up, and
before you know it powerful laxatives are involved.
Re: Filtering at border routers: Is it possible?
Posted by RALPH HAUSER <be...@aol.com>.
STOP EMAILING ME! TAKE ME OFF OF THIS!
> On Mar 22, 2019, at 10:04 PM, John Hardin <jh...@impsec.org> wrote:
>
>> On Fri, 22 Mar 2019, Benny Pedersen wrote:
>>
>> John Hardin skrev den 2019-03-22 22:23:
>>
>>>> Instead of taking on the job of filtering email for all of your clients (this, to me, will open up a can of worms), why not set a policy that port 25 is blocked by default and customers must request for it to be unblocked?
>>> +1
>>
>> custommers wish for port 25 open relay ?
>
> huh?
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> ...wind turbines are not meant to actually be an efficient way to
> supply the power grid, rather they're prayer wheels for New Age
> iBuddhists, their whirring blades drawing white guilt from the
> atmosphere and pumping it safely underground. -- Tam
> -----------------------------------------------------------------------
> 722 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: Filtering at border routers: Is it possible?
Posted by John Hardin <jh...@impsec.org>.
On Fri, 22 Mar 2019, Benny Pedersen wrote:
> John Hardin skrev den 2019-03-22 22:23:
>
>>> Instead of taking on the job of filtering email for all of your clients
>>> (this, to me, will open up a can of worms), why not set a policy that port
>>> 25 is blocked by default and customers must request for it to be
>>> unblocked?
>>
>> +1
>
> custommers wish for port 25 open relay ?
huh?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...wind turbines are not meant to actually be an efficient way to
supply the power grid, rather they're prayer wheels for New Age
iBuddhists, their whirring blades drawing white guilt from the
atmosphere and pumping it safely underground. -- Tam
-----------------------------------------------------------------------
722 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: Filtering at border routers: Is it possible?
Posted by Dave Warren <dw...@thedave.ca>.
On 2019-03-22 18:39, Grant Taylor wrote:
> On 3/22/19 3:29 PM, Benny Pedersen wrote:
>> custommers wish for port 25 open relay ?
>
> Having unfettered access to send traffic to TCP port 25 is /not/ the
> same thing as an open relay.
Especially if you are a host with your clients running self-managed
servers and you therefore cannot guess at what software they might run.
I like the idea of restricting port 25 access by default although it
should be easy to unblock -- The point isn't to annoy customers, just to
reduce the odds of a compromised website/script being able to spew spam.
I also wouldn't offer unblocking of port 25 under a free trial, I would
instead suggest offering a very generous refund policy for the same
duration as a trial if your business model offers free trials. I don't
know if this is still the case, but in the past spammers would sign up
using free or ultra-cheap services to get a few days worth of spamming
out of an account.
Re: Filtering at border routers: Is it possible?
Posted by Grant Taylor <gt...@tnetconsulting.net>.
On 3/22/19 3:29 PM, Benny Pedersen wrote:
> custommers wish for port 25 open relay ?
Having unfettered access to send traffic to TCP port 25 is /not/ the
same thing as an open relay.
--
Grant. . . .
unix || die
Re: Filtering at border routers: Is it possible?
Posted by Benny Pedersen <me...@junc.eu>.
John Hardin skrev den 2019-03-22 22:23:
>> Instead of taking on the job of filtering email for all of your
>> clients (this, to me, will open up a can of worms), why not set a
>> policy that port 25 is blocked by default and customers must request
>> for it to be unblocked?
>
> +1
custommers wish for port 25 open relay ?
Re: Filtering at border routers: Is it possible?
Posted by John Hardin <jh...@impsec.org>.
On Fri, 22 Mar 2019, Anthony Hoppe wrote:
> Not knowing the details of your environment...
>
> Instead of taking on the job of filtering email for all of your clients
> (this, to me, will open up a can of worms), why not set a policy that
> port 25 is blocked by default and customers must request for it to be
> unblocked?
+1
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
722 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: RE: Filtering at border routers: Is it possible?
Posted by Rupert Gallagher <ru...@protonmail.com>.
I think you are in for a lot of pain. This is the view from my seat. If my company has a client that sends spam using my IP, then my IP earns a bad reputation and is blacklisted. Therefore, my other clients are blacklisted too, even if they do not send spam. If I do not solve the problem, then I will loose all of my clients and go bankrupt, eventually.
As a businessman with complaining clients, I must hire a *professional* consultant who gets under my skin and finally tells me what my problem *is* and how to solve it.
None of us in this list can bear responsibility for your decisions.
Out of curiosity, did you look up for potential consultants? How much did they ask for wearing your problem?
On Fri, Mar 22, 2019 at 21:31, <br...@xervers.pt> wrote:
> Thank you all for your suggestions.
> I will follow the path of using a whitelist and block everyone.
> I can track the IPs, but i taught i could put in place something (like OVH by example) do (If their system detects spam being sent, the port on that ip is automatically blocked and the client alerted).
>
> Cheers
>
> Bruno Carvalho (CEO xervers) | +41 79 884 00 44
> Please consider the environment before printing this email
>
> -----Mensagem original-----
> De: Benny Pedersen <me...@junc.eu>
> Enviada: sexta-feira, 22 de março de 2019 20:55
> Para: users@spamassassin.apache.org
> Assunto: Re: Filtering at border routers: Is it possible?
>
> Anthony Hoppe skrev den 2019-03-22 18:23:
>> Not knowing the details of your environment...
>>
>> Instead of taking on the job of filtering email for all of your
>> clients (this, to me, will open up a can of worms), why not set a
>> policy that port 25 is blocked by default and customers must request
>> for it to be unblocked?
>
> dont relay mail from port 25, mails there is final recipient only, not forwared
>
>> You can then build a list of who may be using your services to send
>> mail and better track if/when undesirable mail is sent from your
>> network?
>
> ask custommers to use port 587 or 465 as common pratice
>
> but do require sasl auth on this ports, reject all else
>
> sadly i see mtas try to use 587, and 465, i like to know with book thay read
RE: Filtering at border routers: Is it possible?
Posted by Giovanni Bechis <gi...@paclan.it>.
Il 23 marzo 2019 12:53:52 CET, Giovanni Bechis <gi...@paclan.it> ha scritto:
>Il 22 marzo 2019 21:31:40 CET, bruno.carvalho@xervers.pt ha scritto:
>>Thank you all for your suggestions.
>>I will follow the path of using a whitelist and block everyone.
>>I can track the IPs, but i taught i could put in place something (like
>>OVH by example) do (If their system detects spam being sent, the port
>>on that ip is automatically blocked and the client alerted).
>>
>>Cheers
>>
>>
>>Bruno Carvalho (CEO xervers) | +41 79 884 00 44
>> Please consider the environment before printing this email
>>
>>
>>
>>
>>-----Mensagem original-----
>>De: Benny Pedersen <me...@junc.eu>
>>Enviada: sexta-feira, 22 de março de 2019 20:55
>>Para: users@spamassassin.apache.org
>>Assunto: Re: Filtering at border routers: Is it possible?
>>
>>Anthony Hoppe skrev den 2019-03-22 18:23:
>>> Not knowing the details of your environment...
>>>
>>> Instead of taking on the job of filtering email for all of your
>>> clients (this, to me, will open up a can of worms), why not set a
>>> policy that port 25 is blocked by default and customers must request
>
>>> for it to be unblocked?
>>
>>dont relay mail from port 25, mails there is final recipient only, not
>>forwared
>>
>>> You can then build a list of who may be using your services to send
>>> mail and better track if/when undesirable mail is sent from your
>>> network?
>>
>>ask custommers to use port 587 or 465 as common pratice
>>
>>but do require sasl auth on this ports, reject all else
>>
>>sadly i see mtas try to use 587, and 465, i like to know with book
>thay
>>read
>
>Hi,
>this is what OVH does (article in french, sorry):
>https://www.numerama.com/magazine/26297-ovh-copie-et-analyse-tous-les-e-mails-sortant-de-ses-serveurs.html
> Giovanni
In short you should duplicate outbound smtp traffic to a dedicated box that will analyze traffic and drop all emails.
This can be done with amavisd and SA.
Then you should do some accounting and you should find the correct way to integrate this with your corporate firewalls to block offending ip addresses.
Giovanni
Re: Filtering at border routers: Is it possible?
Posted by Rupert Gallagher <ru...@protonmail.com>.
I reject tons of spam from OVH. So much that I am banning whole CIDRs. Whatever they do, it's not working.
On Sat, Mar 23, 2019 at 12:53, Giovanni Bechis <gi...@paclan.it> wrote
> Hi,
> this is what OVH does (article in french, sorry):
> https://www.numerama.com/magazine/26297-ovh-copie-et-analyse-tous-les-e-mails-sortant-de-ses-serveurs.html
> Giovanni
RE: Filtering at border routers: Is it possible?
Posted by Giovanni Bechis <gi...@paclan.it>.
Il 22 marzo 2019 21:31:40 CET, bruno.carvalho@xervers.pt ha scritto:
>Thank you all for your suggestions.
>I will follow the path of using a whitelist and block everyone.
>I can track the IPs, but i taught i could put in place something (like
>OVH by example) do (If their system detects spam being sent, the port
>on that ip is automatically blocked and the client alerted).
>
>Cheers
>
>
>Bruno Carvalho (CEO xervers) | +41 79 884 00 44
> Please consider the environment before printing this email
>
>
>
>
>-----Mensagem original-----
>De: Benny Pedersen <me...@junc.eu>
>Enviada: sexta-feira, 22 de março de 2019 20:55
>Para: users@spamassassin.apache.org
>Assunto: Re: Filtering at border routers: Is it possible?
>
>Anthony Hoppe skrev den 2019-03-22 18:23:
>> Not knowing the details of your environment...
>>
>> Instead of taking on the job of filtering email for all of your
>> clients (this, to me, will open up a can of worms), why not set a
>> policy that port 25 is blocked by default and customers must request
>> for it to be unblocked?
>
>dont relay mail from port 25, mails there is final recipient only, not
>forwared
>
>> You can then build a list of who may be using your services to send
>> mail and better track if/when undesirable mail is sent from your
>> network?
>
>ask custommers to use port 587 or 465 as common pratice
>
>but do require sasl auth on this ports, reject all else
>
>sadly i see mtas try to use 587, and 465, i like to know with book thay
>read
Hi,
this is what OVH does (article in french, sorry):
https://www.numerama.com/magazine/26297-ovh-copie-et-analyse-tous-les-e-mails-sortant-de-ses-serveurs.html
Giovanni
Re: Filtering at border routers: Is it possible?
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 22 Mar 2019, at 20:37, Grant Taylor wrote:
> What is wrong with having SMTP Authentication on the MTA port as an
> /option/?
It creates unnecessary attack surface (i.e. one more place a stolen
credentioal works.)
It creates error-prone complexity in the configuration.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Re: Filtering at border routers: Is it possible?
Posted by Dave Warren <dw...@thedave.ca>.
On 2019-03-22 21:43, Grant Taylor wrote:
> On 3/22/19 7:01 PM, Dave Warren wrote:
>> To me, the big one is this: It sets your users up for failure. If a
>> user configures their client on a network that allows unrestricted
>> port 25 access and later moves (temporarily or permanently) to a
>> network that does restrict port 25, they'll get an error and you'll
>> get a support ticket.
>
> Valid as that is, that is addressing a client issue, not a server issue.
It isn't really a server or client issue, rather, it is a user issue and
a technical support issue.
>> You'll save yourself a lot of hassle if you get clients set up right
>> from the start rather than fixing user configurations after the fact.
>
> Agreed. But configuring clients to use port 587 or 465 does not
> preclude allowing SMTP Authentication on port 25.
This isn't really true.
By rejecting authentication on port 25 upfront you force clients to be
configured properly from the start whereas when you allow authentication
on port 25 a client will often guess at port 25, see that it works and
the user will not reconfigure anything despite what the instructions
recommend.
>> One other consideration, although this is more opinion than fact: In
>> my experience users/clients that still default to port 25 often don't
>> default to STARTTLS and therefore will transmit an unencrypted
>> password at least once (even if you refuse it and instruct them to
>> authenticate, the damage could already have been done). Forcing 465 is
>> the only way to ensure that this can't happen, but clients that
>> default to 587 are far more likely to default to using encryption.
>
> There is another way. You can configure the server to not offer SMTP
> Authentication until after encryption is established with STARTTLS.
That doesn't work because some (poorly written) clients blindly throw
authentication commands hoping to get a response.
This is an admittedly minor issue as it would require an attacker in a
MITM position to have a chance at intercepting it, but it is still less
than ideal.
Re: Filtering at border routers: Is it possible?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On 3/22/19 7:01 PM, Dave Warren wrote:
>>To me, the big one is this: It sets your users up for failure. If a
>>user configures their client on a network that allows unrestricted
>>port 25 access and later moves (temporarily or permanently) to a
>>network that does restrict port 25, they'll get an error and you'll
>>get a support ticket.
On 22.03.19 21:43, Grant Taylor wrote:
>Valid as that is, that is addressing a client issue, not a server issue.
it's better to prvent client issues immediately, when configurig MUA, than
later when client is on a vacstion across the world.
>>You'll save yourself a lot of hassle if you get clients set up right
>>from the start rather than fixing user configurations after the
>>fact.
>
>Agreed. But configuring clients to use port 587 or 465 does not
>preclude allowing SMTP Authentication on port 25.
>
>>One other consideration, although this is more opinion than fact: In
>>my experience users/clients that still default to port 25 often
>>don't default to STARTTLS and therefore will transmit an unencrypted
>>password at least once (even if you refuse it and instruct them to
>>authenticate, the damage could already have been done). Forcing 465
>>is the only way to ensure that this can't happen, but clients that
>>default to 587 are far more likely to default to using encryption.
>There is another way. You can configure the server to not offer SMTP
>Authentication until after encryption is established with STARTTLS.
postfix option smtpd_tls_auth_only (default no - I wonder why) does this.
However, if you are able to force clients using alternative ports, it's
better to disable auth at port 25 at all.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.
Re: Filtering at border routers: Is it possible?
Posted by Grant Taylor <gt...@tnetconsulting.net>.
On 3/22/19 7:01 PM, Dave Warren wrote:
> To me, the big one is this: It sets your users up for failure. If a user
> configures their client on a network that allows unrestricted port 25
> access and later moves (temporarily or permanently) to a network that
> does restrict port 25, they'll get an error and you'll get a support
> ticket.
Valid as that is, that is addressing a client issue, not a server issue.
> You'll save yourself a lot of hassle if you get clients set up right
> from the start rather than fixing user configurations after the fact.
Agreed. But configuring clients to use port 587 or 465 does not
preclude allowing SMTP Authentication on port 25.
> One other consideration, although this is more opinion than fact: In my
> experience users/clients that still default to port 25 often don't
> default to STARTTLS and therefore will transmit an unencrypted password
> at least once (even if you refuse it and instruct them to authenticate,
> the damage could already have been done). Forcing 465 is the only way to
> ensure that this can't happen, but clients that default to 587 are far
> more likely to default to using encryption.
There is another way. You can configure the server to not offer SMTP
Authentication until after encryption is established with STARTTLS.
--
Grant. . . .
unix || die
Re: Filtering at border routers: Is it possible?
Posted by Dave Warren <dw...@thedave.ca>.
On 2019-03-22 18:37, Grant Taylor wrote:
> On 3/22/19 3:23 PM, Benny Pedersen wrote:
>> you only need sasl auth
>
> You should do the SMTP Authentication across STARTTLS to protect
> credentials.
>
>> do not enable sasl auth on port 25, if it lists AUTH on port 25 ehlo,
>> you will need to remove it in postfix main.cf
>>
>> enable sasl auth only on port 465 and 587
>
> What is wrong with having SMTP Authentication on the MTA port as an
> /option/?
To me, the big one is this: It sets your users up for failure. If a user
configures their client on a network that allows unrestricted port 25
access and later moves (temporarily or permanently) to a network that
does restrict port 25, they'll get an error and you'll get a support ticket.
You'll save yourself a lot of hassle if you get clients set up right
from the start rather than fixing user configurations after the fact.
One other consideration, although this is more opinion than fact: In my
experience users/clients that still default to port 25 often don't
default to STARTTLS and therefore will transmit an unencrypted password
at least once (even if you refuse it and instruct them to authenticate,
the damage could already have been done). Forcing 465 is the only way to
ensure that this can't happen, but clients that default to 587 are far
more likely to default to using encryption.
Re: Filtering at border routers: Is it possible?
Posted by Grant Taylor <gt...@tnetconsulting.net>.
On 3/22/19 3:23 PM, Benny Pedersen wrote:
> you only need sasl auth
You should do the SMTP Authentication across STARTTLS to protect
credentials.
> do not enable sasl auth on port 25, if it lists AUTH on port 25 ehlo,
> you will need to remove it in postfix main.cf
>
> enable sasl auth only on port 465 and 587
What is wrong with having SMTP Authentication on the MTA port as an
/option/?
Sure, /requiring/ SMTP Authentication on an inbound MX is a bad idea and
a non-starter.
But I don't think there's any reason why it can't be there as an option.
I just tested and confirmed that Gmail will deliver perfectly fine
with the AUTH option presented after EHLO.
> all else is insane
Why is having the SMTP Auth option insane on an MTA?
--
Grant. . . .
unix || die
Re: Filtering at border routers: Is it possible?
Posted by Benny Pedersen <me...@junc.eu>.
bruno.carvalho@xervers.pt skrev den 2019-03-22 21:31:
> Thank you all for your suggestions.
> I will follow the path of using a whitelist and block everyone.
> I can track the IPs, but i taught i could put in place something (like
> OVH by example) do (If their system detects spam being sent, the port
> on that ip is automatically blocked and the client alerted).
whitelist ?
you only need sasl auth
do not enable sasl auth on port 25, if it lists AUTH on port 25 ehlo,
you will need to remove it in postfix main.cf
enable sasl auth only on port 465 and 587
all else is insane
RE: Filtering at border routers: Is it possible?
Posted by br...@xervers.pt.
Thank you all for your suggestions.
I will follow the path of using a whitelist and block everyone.
I can track the IPs, but i taught i could put in place something (like OVH by example) do (If their system detects spam being sent, the port on that ip is automatically blocked and the client alerted).
Cheers
Bruno Carvalho (CEO xervers) | +41 79 884 00 44
Please consider the environment before printing this email
-----Mensagem original-----
De: Benny Pedersen <me...@junc.eu>
Enviada: sexta-feira, 22 de março de 2019 20:55
Para: users@spamassassin.apache.org
Assunto: Re: Filtering at border routers: Is it possible?
Anthony Hoppe skrev den 2019-03-22 18:23:
> Not knowing the details of your environment...
>
> Instead of taking on the job of filtering email for all of your
> clients (this, to me, will open up a can of worms), why not set a
> policy that port 25 is blocked by default and customers must request
> for it to be unblocked?
dont relay mail from port 25, mails there is final recipient only, not forwared
> You can then build a list of who may be using your services to send
> mail and better track if/when undesirable mail is sent from your
> network?
ask custommers to use port 587 or 465 as common pratice
but do require sasl auth on this ports, reject all else
sadly i see mtas try to use 587, and 465, i like to know with book thay read
Re: Filtering at border routers: Is it possible?
Posted by Benny Pedersen <me...@junc.eu>.
Noel Butler skrev den 2019-03-23 02:44:
> you ave not been taking your medication again Benny
it keeps me awake atleast :)
its weekend and i was borring creating gentoo ebuild for pymilter 1.0.2,
repoman -d full is happy, so i am aswell
Re: Filtering at border routers: Is it possible?
Posted by Grant Taylor <gt...@tnetconsulting.net>.
On 3/23/19 2:03 PM, Rupert Gallagher wrote:
> I was royally pissed when they introduced port 587 and deprecated port
> 465. Port 587 is an RFC mandated security loophole. Port 465 is golden.
TCP port 465 has retroactively been returned to official status. It has
two uses, SMTPS, and something else (I believe) not email related.
But 465 is an official thing again.
--
Grant. . . .
unix || die
Re: Filtering at border routers: Is it possible?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On 25 Mar 2019, at 09:49, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
>> I can't see anywhere how smtps could mean multicast audio.
On 25.03.19 22:27, @lbutlr wrote:
>That may have been a different use for port 465? I was operating from memory.
different use, but it was not called ssmtp.
what I want to say is that smtps always meant ssl'ed smtp.
>I wasn't trying to do a ton of research on this. The point is 465 was a MSFT thing
actually no. They used previously defined smtps. Yes, they used it after it
was deprecated, but in compatible way.
> that they did ignoring the specs, as they loved to do (see breaking
> kerberos and many other examples), but that there is a new RFC for the use
> of port 465 as a submissions port (as opposed to the port 587 submission
> port).
I've been using 465 with enforced authentication on many servers for years.
never heard about source-specific multicast (SSM) until now...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization.
Re: Filtering at border routers: Is it possible?
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 26 Mar 2019, at 0:27, @lbutlr wrote:
> That may have been a different use for port 465? I was operating from
> memory.
Cisco SSM. See
https://www.cisco.com/c/en/us/td/docs/ios/12_2/ip/configuration/guide/fipr_c/1cfssm.pdf
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Re: Filtering at border routers: Is it possible?
Posted by @lbutlr,
kr...@kreme.com.
On 25 Mar 2019, at 09:49, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
> I can't see anywhere how smtps could mean multicast audio.
That may have been a different use for port 465? I was operating from memory.
I wasn't trying to do a ton of research on this. The point is 465 was a MSFT thing that they did ignoring the specs, as they loved to do (see breaking kerberos and many other examples), but that there is a new RFC for the use of port 465 as a submissions port (as opposed to the port 587 submission port).
--
Competent? How are we going to compete with that?
Re: Filtering at border routers: Is it possible?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>>> And didn't Microsoft start using it for their non-standard email in Windows 95?
>> I'm not sure how non-standard Microsoft's use of SMTP-over-TLS (SMTPS /
>> TCP port 465) is. The closest thing I remember to non-standard nature
>> was that they were atypical in their choice of preferring SMTP-over-TLS
>> verses the more common MSA port combined with STARTTLS. But as far as I
>> know, SMTP-over-TLS / SMTPS / TCP port 465 is standard.
>> On 3/24/19 1:00 PM, @lbutlr wrote:
>Is now. Was not then. Was not for many many years. TFC 8314 is very recent.
>
>>> Also, smtps and SMTPS are not, oddly, then same thing.
>On 24 Mar 2019, at 13:16, Grant Taylor <gt...@tnetconsulting.net> wrote:
>> Okay, what do you think the difference is in "smtps" and "SMTPS"?
On 24.03.19 18:45, @lbutlr wrote:
>The details escape me,. but they are different. I think the ;lowercase one is the multicast audio .
>
>Oh, look, Wikip[edia has some details.
>
><https://en.wikipedia.org/wiki/SMTPS#Difference_between_SMTPS_and_smtps>
I can't see anywhere how smtps could mean multicast audio.
the only difference I can see was that smtps was originally designed for use
by MTAs (but afaik it never was really used as such), while now it's
designed by use for MUAs, but it's mostly the same protocol.
in fact, many people used it for MUAs most of the time, especially clients
like outlook express and outlook <2007 that couldn't to STARTTLS on port
other than 25
However, it wasn't very different from port 25, at least until
authentication become widely used by clients and/or enforced (which can't be
in receiving on port 25 of mail servers).
So, it wasn't M$ only crutch, I'd more say it's another example of what
microsoft took and used their own icompatible way (how typical for them),
which is compatible now.
Finally, I hope we have discussed this and can finish this thread :)
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
42.7 percent of all statistics are made up on the spot.
Re: Filtering at border routers: Is it possible?
Posted by Grant Taylor <gt...@tnetconsulting.net>.
On 3/24/19 6:45 PM, @lbutlr wrote:
> Which I posted a few messages upthread.
ACK
> Is now. Was not then. Was not for many many years. TFC 8314 is very
> recent.
I think we may be talking about two different things. I'm talking about
the protocol that went over the port. I think you are talking about the
at-the-time standardization status of the port number.
I don't really care what IANA / IETF / et al. think of the port's
status. I'm going by the fact that the industry at large tended to
think of three main ports:
· SMTP on TCP port 25
· SMTPS / submissions on TCP port 465
· submission on TCP port 587
At least the ports that the SMTP protocol was used.
> The details escape me,. but they are different. I think the ;lowercase
> one is the multicast audio .
Ah. I wasn't aware of that nuance. I thought you were eluding to
something like the difference between SMTP and submission. IMHO both of
which use SMTP, all be it for different client bases and purposes.
> Oh, look, Wikipedia has some details.
>
> <https://en.wikipedia.org/wiki/SMTPS#Difference_between_SMTPS_and_smtps>
ACK
--
Grant. . . .
unix || die
Re: Filtering at border routers: Is it possible?
Posted by "@lbutlr" <kr...@kreme.com>.
On 24 Mar 2019, at 19:06, Reindl Harald <h....@thelounge.net> wrote:
> well, given all that technical bullshit you are talking on several lists
> at least for 5 years better shut up...
I asked you to stop emailing me directly, so stop emailing me directly.
--
Well I've seen the Heart of Darkness/Read the writing on the wall/and the
voice out in the desert/Was the voice out in the hall
Re: Filtering at border routers: Is it possible?
Posted by LuKreme <kr...@kreme.com>.
On Mar 24, 2019, at 18:51, Reindl Harald <h....@thelounge.net> wrote:
>> Am 25.03.19 um 01:45 schrieb @lbutlr:
>>> On 24 Mar 2019, at 13:12, Grant Taylor <gt...@tnetconsulting.net> wrote:
>>> Okay, what do you think the difference is in "smtps" and "SMTPS"?
>>
>> Oh, look, Wikip[edia has some details.
>>
>> <https://en.wikipedia.org/wiki/SMTPS#Difference_between_SMTPS_and_smtps>
> IDIOT
Stop replying to me, ok? In fact, never email me again.
> When describing the IANA service registration, the official
> capitalization is "smtps". When describing the network protocol, the
> capitalization "SMTPS" is often used (similar to how HTTPS is capitalized)
No, try reading for comprehension. Lowercase describes a server to server connection.
--
My main job is trying to come up with new and innovative and effective ways to reject even more mail. I'm up to about 97% now.
Re: Filtering at border routers: Is it possible?
Posted by "@lbutlr" <kr...@kreme.com>.
On 24 Mar 2019, at 13:12, Grant Taylor <gt...@tnetconsulting.net> wrote:
> That changed within the last couple of years. Check out RFC 8314.
Which I posted a few messages upthread.
On 24 Mar 2019, at 13:16, Grant Taylor <gt...@tnetconsulting.net> wrote:
> On 3/24/19 1:00 PM, @lbutlr wrote:
>> And didn't Microsoft start using it for their non-standard email in Windows 95?
>
> I'm not sure how non-standard Microsoft's use of SMTP-over-TLS (SMTPS / TCP port 465) is. The closest thing I remember to non-standard nature was that they were atypical in their choice of preferring SMTP-over-TLS verses the more common MSA port combined with STARTTLS. But as far as I know, SMTP-over-TLS / SMTPS / TCP port 465 is standard.
Is now. Was not then. Was not for many many years. TFC 8314 is very recent.
>> Also, smtps and SMTPS are not, oddly, then same thing.
>
> Okay, what do you think the difference is in "smtps" and "SMTPS"?
The details escape me,. but they are different. I think the ;lowercase one is the multicast audio .
Oh, look, Wikip[edia has some details.
<https://en.wikipedia.org/wiki/SMTPS#Difference_between_SMTPS_and_smtps>
--
MS Word still hasn't caught up -- it has more bells and whistles, but not as
many pistons and cylinders. -- Steve Hayes
Re: Filtering at border routers: Is it possible?
Posted by Grant Taylor <gt...@tnetconsulting.net>.
On 3/24/19 1:00 PM, @lbutlr wrote:
> And didn't Microsoft start using it for their non-standard email in Windows 95?
I'm not sure how non-standard Microsoft's use of SMTP-over-TLS (SMTPS /
TCP port 465) is. The closest thing I remember to non-standard nature
was that they were atypical in their choice of preferring SMTP-over-TLS
verses the more common MSA port combined with STARTTLS. But as far as I
know, SMTP-over-TLS / SMTPS / TCP port 465 is standard.
Please correct me if I'm wrong.
> Also, smtps and SMTPS are not, oddly, then same thing.
Okay, what do you think the difference is in "smtps" and "SMTPS"?
At first blush, the only difference I see is case. What am I missing?
--
Grant. . . .
unix || die
Re: Filtering at border routers: Is it possible?
Posted by "@lbutlr" <kr...@kreme.com>.
> On 24 Mar 2019, at 12:23, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
>
>> On 23 Mar 2019, at 14:03, Rupert Gallagher <ru...@protonmail.com> wrote:
>>> I was royally pissed when they introduced port 587 and deprecated port 465. Port 587 is an RFC mandated security loophole. Port 465 is golden.
>
> On 23.03.19 21:13, @lbutlr wrote:
>> Port 465 was a not-standard MSFT crutch, ut is now used for SMTPS and is fully supported.
>
> i did think the same, but:
>
> In early 1997, the Internet Assigned Numbers Authority registered port 465 for smtps.[2] Late 1998 this was revoked when STARTTLS was standardized.[3]
And didn't Microsoft start using it for their non-standard email in Windows 95?
Also, smtps and SMTPS are not, oddly, then same thing.
--
Up the airy mountains, down the rushy glen... From ghosties and bogles
and long-leggity beasties... My mother said I never should... We dare
not go a-hunting for fear... And things that go bump... Play with the
fairies in the wood... --Lords and Ladies
Re: Filtering at border routers: Is it possible?
Posted by Grant Taylor <gt...@tnetconsulting.net>.
On 3/24/19 12:23 PM, Matus UHLAR - fantomas wrote:
> In early 1997, the Internet Assigned Numbers Authority registered port
> 465 for smtps.[2] Late 1998 this was revoked when STARTTLS was
> standardized.[3]
That changed within the last couple of years. Check out RFC 8314.
Link - Cleartext Considered Obsolete: Use of Transport Layer Security
(TLS) for Email Submission and Access
- https://tools.ietf.org/html/rfc8314
TL;DR: SMTPS / TCP port 465 is back on the books. All be it with a
weird sordid history.
--
Grant. . . .
unix || die
Re: Filtering at border routers: Is it possible?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On 23 Mar 2019, at 14:03, Rupert Gallagher <ru...@protonmail.com> wrote:
>> I was royally pissed when they introduced port 587 and deprecated port 465. Port 587 is an RFC mandated security loophole. Port 465 is golden.
On 23.03.19 21:13, @lbutlr wrote:
>Port 465 was a not-standard MSFT crutch, ut is now used for SMTPS and is fully supported.
i did think the same, but:
In early 1997, the Internet Assigned Numbers Authority registered port 465 for smtps.[2] Late 1998 this was revoked when STARTTLS was standardized.[3]
[2] http://lists.w3.org/Archives/Public/ietf-tls/1997JanMar/0079.html
[3] https://web.archive.org/web/20150603202057/http://www.imc.org/ietf-apps-tls/mail-archive/msg00204.html
>
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory.
Re: Filtering at border routers: Is it possible?
Posted by "@lbutlr" <kr...@kreme.com>.
On 23 Mar 2019, at 14:03, Rupert Gallagher <ru...@protonmail.com> wrote:
> I disagree with Kevin on port 587, because it is vulnerable to mitm attacks.
You're going too needy too back that up with actual facts.
> I was royally pissed when they introduced port 587 and deprecated port 465. Port 587 is an RFC mandated security loophole. Port 465 is golden.
Port 465 was a not-standard MSFT crutch, ut is now used for SMTPS and is fully supported.
It will break some oddball multicast audio that was little used, bu that is not a problem for hardly anyone.
<https://tools.ietf.org/html/rfc8314>
When a TCP connection is established for the "submissions" service (default port 465), a TLS handshake begins immediately. Clients MUSTimplement the certificate validation mechanism described in [RFC7817]. Once the TLS session is established, Message Submission protocol data [RFC6409] is exchanged as TLS application data for the remainder of the TCP connection.
--
Get in there you big furry oaf! I don't care what you smell!
Re: Filtering at border routers: Is it possible?
Posted by Rupert Gallagher <ru...@protonmail.com>.
I agree with Benny on port 25.
I disagree with Kevin on port 587, because it is vulnerable to mitm attacks.
I was royally pissed when they introduced port 587 and deprecated port 465. Port 587 is an RFC mandated security loophole. Port 465 is golden.
On Sat, Mar 23, 2019 at 03:01, Kevin A. McGrail <km...@apache.org> wrote:
> On 3/22/2019 9:44 PM, Noel Butler wrote:
>
>> On 23/03/2019 05:54, Benny Pedersen wrote:
>>
>>> dont relay mail from port 25, mails there is final recipient only, not forwared
>>
>> you ave not been taking your medication again Benny
>
> Noel, please. The personal attacks aren't in keeping with our code of conduct. Please don't email them to the list.
>
> IMO and I believe the RFCs back me up, Port 25 should only be used for local recipients. Port 587, submissions would be appropriate for submissions requiring other delivery methods and should be protected with SMTP AUTH, for example. That would certainly be best practice, well supported and easy to add TLS to address.
>
> Getting back to the original question: Yes, you can scan outbound mail for spam and block it. There are a number of ways to do that. We also do a LOT with MIMEDefang, LDAP & IPTables, & Access files to extend the edge of the network to the board to avoid backscatter, DDoS attacks, etc. I've published a lot of stuff about this before and happy to give pointers again.
>
> But in short, setup an SMTP host that allows rely by IP from all your servers behind it and set those servers to use the SMTP host as a smarthost. On the smarthost, you can use amavisd-new and drop/redir mail that is considered spam. More complex solutions are available with alerting, rate limiting, etc.
>
> Regards,
>
> KAM
>
> --
> Kevin A. McGrail
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail
> - 703.798.0171
Re: Filtering at border routers: Is it possible?
Posted by Grant Taylor <gt...@tnetconsulting.net>.
On 3/22/19 8:01 PM, Kevin A. McGrail wrote:
> Noel, please. The personal attacks aren't in keeping with our code of
> conduct. Please don't email them to the list.
+1
Let's keep things professional.
> IMO and I believe the RFCs back me up, Port 25 should only be used for
> local recipients. Port 587, submissions would be appropriate for
> submissions requiring other delivery methods and should be protected
> with SMTP AUTH, for example. That would certainly be best practice,
> well supported and easy to add TLS to address.
I agree in spirit. But I know that port 25 is used for a lot more than
just local delivery. Various forms of mail routing come to mind. To
the best of my knowledge, all the ESPs that offer ingress filtering
receive email on port 25 and send it to clients private email servers on
port 25 too. Then there are scanning appliances that can be self hosted
that do the same thing.
> Getting back to the original question: Yes, you can scan outbound mail
> for spam and block it. There are a number of ways to do that. We also
> do a LOT with MIMEDefang, LDAP & IPTables, & Access files to extend the
> edge of the network to the board to avoid backscatter, DDoS attacks,
> etc. I've published a lot of stuff about this before and happy to give
> pointers again.
Yes, it is possible to do. But if the OP is running a co-location
facility and offering connectivity for clients to host their own servers
on the Internet, I think s/he should NOT be interfering with their SMTP
flows.
> But in short, setup an SMTP host that allows rely by IP from all your
> servers behind it and set those servers to use the SMTP host as a
> smarthost. On the smarthost, you can use amavisd-new and drop/redir
> mail that is considered spam. More complex solutions are available with
> alerting, rate limiting, etc.
I think this type of configuration is great when all of the server are
under one company / administration. I.e. enterprise, university, what
have you. But I don't think this is proper for a Co-Lo facility.
I am willing to accept a default block that has an easy process to
remove the block. Anything else and I'd take my business elsewhere.
If the OP is running a Co-Lo facility, I would advise SWIP and / or RWHOIS.
--
Grant. . . .
unix || die
Re: Filtering at border routers: Is it possible?
Posted by "Kevin A. McGrail" <km...@apache.org>.
On 3/22/2019 9:44 PM, Noel Butler wrote:
>
> On 23/03/2019 05:54, Benny Pedersen wrote:
>
>>
>> dont relay mail from port 25, mails there is final recipient only,
>> not forwared
>>
>
>
> you ave not been taking your medication again Benny
>
Noel, please. The personal attacks aren't in keeping with our code of
conduct. Please don't email them to the list.
IMO and I believe the RFCs back me up, Port 25 should only be used for
local recipients. Port 587, submissions would be appropriate for
submissions requiring other delivery methods and should be protected
with SMTP AUTH, for example. That would certainly be best practice,
well supported and easy to add TLS to address.
Getting back to the original question: Yes, you can scan outbound mail
for spam and block it. There are a number of ways to do that. We also
do a LOT with MIMEDefang, LDAP & IPTables, & Access files to extend the
edge of the network to the board to avoid backscatter, DDoS attacks,
etc. I've published a lot of stuff about this before and happy to give
pointers again.
But in short, setup an SMTP host that allows rely by IP from all your
servers behind it and set those servers to use the SMTP host as a
smarthost. On the smarthost, you can use amavisd-new and drop/redir
mail that is considered spam. More complex solutions are available with
alerting, rate limiting, etc.
Regards,
KAM
--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: Filtering at border routers: Is it possible?
Posted by Noel Butler <no...@ausics.net>.
On 23/03/2019 05:54, Benny Pedersen wrote:
> dont relay mail from port 25, mails there is final recipient only, not forwared
you ave not been taking your medication again Benny
--
Kind Regards,
Noel Butler
This Email, including any attachments, may contain legally privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents
Links:
------
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument
Re: Filtering at border routers: Is it possible?
Posted by Grant Taylor <gt...@tnetconsulting.net>.
On 3/22/19 1:54 PM, Benny Pedersen wrote:
> dont relay mail from port 25,
What do you mean by that?
Are you talking about the TCP connection originating from port 25? Or
something else?
Also, why not?
> mails there is final recipient only, not forwared
I disagree.
I see people forward old university email (comes into university system
on port 25) to somewhere else (again port 25), which is then forwarded a
2nd time to the final destination (again port 25).
> ask custommers to use port 587 or 465 as common pratice
Yes, a common practice. But far from a requirement.
--
Grant. . . .
unix || die
Re: Filtering at border routers: Is it possible?
Posted by Benny Pedersen <me...@junc.eu>.
Anthony Hoppe skrev den 2019-03-22 18:23:
> Not knowing the details of your environment...
>
> Instead of taking on the job of filtering email for all of your
> clients (this, to me, will open up a can of worms), why not set a
> policy that port 25 is blocked by default and customers must request
> for it to be unblocked?
dont relay mail from port 25, mails there is final recipient only, not
forwared
> You can then build a list of who may be using your services to send
> mail and better track if/when undesirable mail is sent from your
> network?
ask custommers to use port 587 or 465 as common pratice
but do require sasl auth on this ports, reject all else
sadly i see mtas try to use 587, and 465, i like to know with book thay
read
Re: Filtering at border routers: Is it possible?
Posted by Anthony Hoppe <ah...@sjcourts.org>.
Not knowing the details of your environment...
Instead of taking on the job of filtering email for all of your clients (this, to me, will open up a can of worms), why not set a policy that port 25 is blocked by default and customers must request for it to be unblocked?
You can then build a list of who may be using your services to send mail and better track if/when undesirable mail is sent from your network?
Just a thought.
~ Anthony
> From: "Bruno Carvalho" <br...@xervers.pt>
> To: "SpamAssassin" <us...@spamassassin.apache.org>
> Sent: Friday, March 22, 2019 9:59:56 AM
> Subject: Filtering at border routers: Is it possible?
> Hello Folks.
> I've just joined this list, i didn't read all rules yet (just some), so bare
> with me if my question is misplaced.
> I own a small datacenter with 4 uplinks. And i received complains that some of
> my clients are using my services for sending spam.
> I wanted to know if it is possible to setup spamassassin on a VPS or someting
> and have the port 25 redirected to it from border routers.
> Important note: I don't know what domains are hosted inside my network.
> What i know is that 98% of the spam sent is using port 25.
> So, if someone knows a way to filter the mail traffic and block outbound spam, i
> will be thankfull.
> Regards
> --
> Bruno Carvalho (CEO xervers) | +41 79 884 00 44
> P Please consider the environment before printing this email [
> https://www.xervers.pt/ ]
> [ https://www.facebook.com/xervers/ ] [ https://twitter.com/xervers ]