[asterisk-users] OT: fail2ban, spam and mail servers

Gordon Henderson gordon+asterisk at drogon.net
Tue Jul 13 07:45:20 CDT 2010


On Tue, 13 Jul 2010, Randy R wrote:

> Hi Gordon,
>
> On Tue, Jul 13, 2010 at 1:55 PM, Gordon Henderson
> <gordon+asterisk at drogon.net> wrote:
>
>> Technically/pedantically, users ought to be connecting to port 587 to submit
>> their email anyway, with port 25 being reserved for MTA to MTA
>> communications, so block 25 for everyone but the MX relaying host and insist
>> your users connect on port 587 to relay their outgoing email (with
>> smtp-auth)
>
> Yes. The only thing that is delicate here is the "insist" part, but
> they'll get over it. "Users" are customers.

Indeed - and with another 'hat' on, I run an ISP business, providing email 
and web hosting facilities to clients - and facing exactly the same 
issues. It's been (being) a struggle to get people to change their 
settings, but we're slowly getting there.

Because I have multiple servers, I can run both in parallel and are giving 
groups of customers cut-off dates for final migration based on the servers 
their using to relay outbound email...

>> I'd assume that most MTAs listen on 587 these days (as well as 25) - it's
>> been in the standards for quite a number of years now. (Introduced in 1998
>> in RFC2476)
>
> Yes, if you have that port open. (we do)
>
>> And I don't know about where you are, but where I am (UK) some ISPs are now
>> blocking outbound SMTP connections on port 25, or force-proxying them via
>> their own email servers, making the use of port 587 almost mandatory -
>> BTretail and Orange, and I think AOL do, but there's probably others.
>> However it's only a matter of time before they catch up and as soon as the
>> spammers start to use that port, the ISPs will block them too.
>
> Yes, more and more providers do this.
>
> So (even before I read your message) I decided to limit port 25 access
> to the restricted IP set we know about. This will be an interesting 48
> hours or so while we see if the users are still using port 25 :-)

Good luck!

Gordon



More information about the asterisk-users mailing list