[asterisk-users] OT: fail2ban, spam and mail servers

[Gordon Henderson]

On Tue, 13 Jul 2010, Randy R wrote:

> On Tue, Jul 13, 2010 at 12:58 PM, A J Stiles
> <asterisk_list at earthshod.co.uk> wrote:
>> On Tuesday 13 Jul 2010, Randy R wrote:
>>> I was thinking of closing port 25 and using an alternate port (587?)
>>> setup if the spam service is able to connect to an alternate port.
>>> That way, the users can also change their configs to 587 and most
>>> spammers will be trying 25 which is closed.
>>
>> Can't you just insist on SMTP AUTH?  Or  (crude but still just about usable)
>> require a POP3 connection before allowing an SMTP connection?
>
> The problem is that mail to legitimate users is being sent here
> although "here" is NOT the MX. On the other hand, when the users on
> the road try to connect to use the server to send on port 25, it needs
> to be open. I'm pretty sure closing 25 would kill the spam. But the
> users would need to connect to a port for SMTP.

Technically/pedantically, users ought to be connecting to port 587 to 
submit their email anyway, with port 25 being reserved for MTA to MTA 
communications, so block 25 for everyone but the MX relaying host and 
insist your users connect on port 587 to relay their outgoing email (with 
smtp-auth)

I'd assume that most MTAs listen on 587 these days (as well as 25) - it's 
been in the standards for quite a number of years now. (Introduced in 1998 
in RFC2476)

And I don't know about where you are, but where I am (UK) some ISPs are 
now blocking outbound SMTP connections on port 25, or force-proxying them 
via their own email servers, making the use of port 587 almost mandatory - 
BTretail and Orange, and I think AOL do, but there's probably others. 
However it's only a matter of time before they catch up and as soon as the 
spammers start to use that port, the ISPs will block them too.

Gordon