Re: Workarounds for blocked port 25 on outgoing e-mail
From: Cody Baker (cody_at_wilkshire.net)
Date: 08/20/05
- Previous message: Logan: "Re: Workarounds for blocked port 25 on outgoing e-mail"
- In reply to: Logan: "Re: Workarounds for blocked port 25 on outgoing e-mail"
- Next in thread: Roman Volf: "Re: Workarounds for blocked port 25 on outgoing e-mail"
- Reply: Roman Volf: "Re: Workarounds for blocked port 25 on outgoing e-mail"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 20 Aug 2005 02:03:39 -0400 To: Logan <lashby@gmail.com>
What Logan wrote was mostly true, port 587 is the recommended way of
doing it, and SSL (TLS) is a recommended option for just about
everything. Another, albeit far less popular, and much less supported
option is to use IMAP to send mail. Courier-IMAP (I'm not sure about
the others) has an option where messages placed in a special Outbox
folder are automatically send by sendmail running locally on that
server. This eliminates the issue of SMTP relaying entirely.
The other challenge Logan touched on is verifying that your users are in
fact allowed to be sending mail through your server. It may seem like
common sense that you can't relay email through company xyz.net's SMTP
server, but there's a couple things enforcing that.
The most common way of authenticating customers is based upon their IP.
If company xyz.net owns 111.222.333.x/24 then they simply allow relaying
for any client inside that subnet. By this logic you could send a
message from MyPersonalDomainHostedElsewhereOnTheNet.com through your
broadband/dialup ISP's (xyz.net) email server and it would work. This is
what Logan was suggesting in his last line there. UNFORTUNATELY there's
a new kink in that plan. Sender Policy Framework (SPF) is designed
specifically to detect and stop this kind of "forgery". It's a good
standard and it's starting to become popular. Because of SPF there's
rapidly increasing likelihood that your messages would be marked as spam
and deleted if you followed this advice. Also some MTA's notably qmail,
won't allow you to relay a message through if the From: field is not
listed as an address local to that server.
To send a message from MyPersonalDomainHostedElsewhereOnTheNet.com using
MyPersonalDomainHostedElsewhereOnTheNet.com's SMTP Relay server you
could authenticate the client in several ways:
The easiest is mentioned above, if you're always at a particular IP then
add it to the allow list and be done with it.
Logan mentioned SASL ( http://asg.web.cmu.edu/sasl/ ), which while it
would seem like a possibility is by no means the most popular method.
SMTP-Auth is supported by all major email clients, (Outlook, Outlook
Express, Mac Mail, Thunderbird, etc..), most MTA's (qmail, sendmail,
etc.) and is the standard way of coping with this problem.
The forth option, commonly called "SMTP after POP/IMAP" is a bit more of
a hack in my opinion, but requires no additional configuration on the
users end (excluding your change of port for users blocked by this
nonsense). The idea with SMTP after POP is that most mail clients check
for messages before sending a message. When a user successfully
authenticates with your POP3 server, their IP is added to a database
which lists valid email sources. The IP typically stays in the database
for 24 hours or so. This is somewhat popular in the qmail/vpopmail
world, although I believe there was a few sendmail folk doing it as well.
We use defined subnets, SMTP-AUTH, and a variation of option four which
couples the auth database with our Radius server. All 3 co-exist
peacefully on the same SMTP relay server. If you have any questions
about that specific implemention write back to cody@wilkshire.net and
I'd be happy to help. It was my experience that sendmail built in to
the base of FreeBSD isn't exactly ideal for these situations as it
generally means coupling a few programs/scripts together and sendmail
doesn't always play nice with this in its role as part of base. Also
said, the ports system really shows its limits when you try to add
options like SMTP-AUTH because matching an auth database, a qmail-smtpd
patch, and a mess changes to startup scripts, etc.. isn't something
ports will likely ever be able to just configure turn key, out of the box.
Thank You,
Cody Baker
cody@wilkshire.net
Logan wrote:
>On 8/19/05, Jay Banks <jay.quest4@gmail.com> wrote:
>
>
>>I have sendmail and popa3d up and running. Is there any way a person could
>>offer mail service to people on ISPs that block port 25 outbound from their
>>networks?
>>
>>
>
>Many people do. Most use the mail submission port, 587. Typically,
>authentication (to ensure that only their customers are relaying
>through their servers), is handled via SASL, with SSL usually thrown
>in the mix to keep from passing the auth info in plaintext.
>
>
>
>> I have seen solutions that use different ports, but I'm not sure
>>about doing this with what I have setup on FreeBSD.
>>
>>
>
>All the software you should need is in ports.
>
>
>
>>I bet everyone starting to block port 25 outside of their own networks
>>really put the hurt on people offering POP3 accounts.
>>
>>
>
>POP3 access is a totally seperate issue. You can send mail through a
>completey different server and/or ISP than the one you use to download
>your mail. Your access provider should be able to handle outbound
>email for you with very little trouble. It's probably as easy as
>asking what they recommend as the outbound/smtp mailserver for you.
>
>
>
>>I know I can't send e-mail from my own mail server or the POP3 accounts that I pay
>>money for,
>>
>>
>
>If your email provider isn't offering some type of authenticated
>outbound service for you, I would seriously consider changing
>providers. It's quite simple, really. If you want to do it with a
>mail server that you host, configure it to smarthost through your
>provider's (email OR access) server.
>_______________________________________________
>freebsd-isp@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-isp
>To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
>
>
_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
- Previous message: Logan: "Re: Workarounds for blocked port 25 on outgoing e-mail"
- In reply to: Logan: "Re: Workarounds for blocked port 25 on outgoing e-mail"
- Next in thread: Roman Volf: "Re: Workarounds for blocked port 25 on outgoing e-mail"
- Reply: Roman Volf: "Re: Workarounds for blocked port 25 on outgoing e-mail"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
