Re: its about time - dslreports.com

Author	All Replies
cowboy So Much For Subtlety Premium join:2000-03-14 Morgan Hill, CA ·Covad Communications ·DSL EXTREME	reply to en102 Re: its about time For probably 95% of the users, you are probably right - However, there is still a significant portion of the population (and I expect that number to grow) that are more or less completely screwed by the current state of affairs!!! I've yet to see one of these guys do this the right way: ) Open the submission port(587) and require auth+TLS on it ...This port MUST* be accessible outside the ISP net ! ) Require authentication on intranet submission via port 25 ) Do NOT require the ISP domain name on the Envelope From:, it could be valid to require it on the header. Now, the have accurate accounting of who sent what, AND the user can sendmail via the ISP from wherever they are. If all the ISPs and companies did this, THEN it is valid to block port 25 outbound, and possibly inbound. THEN it becomes feasible to impliment SPF/domainkeys/etc... But NOT before, because things are flatly B0RKED. Without doing this properly, the ISP are screwing with telecomuters, tech folk, etc... For example, I regulary sendmail from whatever box I'm on (work, home, laptop during travel) from any one of at least six different domains ! Yes, I use my ISP as a smarthost at times, but at times I can't. I couldn't even use my prior ISP (Bellsouth) outside of their netblocks... and won't use my current (DSLExtreme) outside until they impliment SSL and port 587. Wanna take bets on if my company allows external mail?... How about the volunteer work I do with a Linux distribution ? The only saving grace for me, is that my ISP allowed me to opt out of the port 25 block (in exchange for scanning, which I'm cool with - no open proxies) - so in a pinch I can always bounce mail through my home box to wherever I need it to go (via STARTTLS/AUTH on port 587, of course). For the poor folk who have an ISP that requires certain domain names on their From: lines, even this is not an option -- Richard Nelson
	to forum · permalink · · 2004-08-18 16:37:01 ·
macmouse Premium join:2002-05-30 Saratoga, CA	Well, if you already have a *nix box at home, you can foreword the port via SSH. Its not perfect (requires manual intervention) but it works quite well in a pinch. ssh me@my.linux.box -L 2525:mail.isp.net:25 (smtp) ssh me@my.linux.box -L 1110:mail.isp.net:110 (pop) Then, you point your email client to connect to localhost (on the high number port # defined). BTW - I'm also pretty sure there is openssh in the cygwin package for windows, so you can use that or some other "native" ssh client.
	to forum · permalink · · 2004-08-18 17:53:23 ·
en102 Canadian, eh? join:2001-01-26 Valencia, CA ·RoadRunner Cable ·DSL EXTREME	reply to cowboy Without doing this properly, the ISP are screwing with telecomuters, tech folk, etc... For example, I regulary sendmail from whatever box I'm on (work, home, laptop during travel) from any one of at least six different domains ! Yes, I use my ISP as a smarthost at times, but at times I can't. This is just another reason to have A) A Business account, which would not restrict these ports (vs. standard!), and could allow you to run servers if you want B) Web based email. C) VPN to your email / business The only saving grace for me, is that my ISP allowed me to opt out of the port 25 block (in exchange for scanning, which I'm cool with - no open proxies) - so in a pinch I can always bounce mail through my home box to wherever I need it to go (via STARTTLS/AUTH on port 587, of course). I agree that ISPs could offer to allow port 25 in exchange for scanning. I have SBC, which requires authentication for sending email as well as recieving, and I for one do not mind. On a daily basis at work, my domains see between 2000 and 5000 spam messages a day, and those are the ones that don't get rejected due to fake domains, etc. It's a waste of bandwidth and resources. I agree that this will not stop everything, as spam is big business.
	to forum · permalink · · 2004-08-18 18:36:07 ·
cowboy So Much For Subtlety Premium join:2000-03-14 Morgan Hill, CA	reply to macmouse hehe, btdt, I now use OpenVPN on Linux and windows - works great ! -- Richard Nelson
	to forum · permalink · · 2004-08-18 19:34:18 ·
cowboy So Much For Subtlety Premium join:2000-03-14 Morgan Hill, CA ·Covad Communications ·DSL EXTREME	reply to en102 This is just another reason to have A) A Business account, which would not restrict these ports (vs. standard!), and could allow you to run servers if you want B) Web based email. C) VPN to your email / business No... you're missing the point... ) I am not a business ) I have personal web based mail, as does my ISP, my company and groups I do volunteer work for DO NOT ! ) Some of the groups I volunteer for DO NOT have VPNs setup ) I have a VPN to work - unfortunately it is Windows only - there is a hack to do similiar on Linux, but it is NOT supported - and often broken. If your answer is for me to become a business - upgrade my phone and DSL (usually both have to be done) to work around poorly planned and implimented filters by ISPs - and lack of decent company support.... then too much of your income comes from the ISP/telco side. I agree that ISPs could offer to allow port 25 in exchange for scanning. I have SBC, which requires authentication for sending email as well as recieving, and I for one do not mind. Good for them ! Do they also allow authenticated sending from outside their network ? On a daily basis at work, my domains see between 2000 and 5000 spam messages a day, and those are the ones that don't get rejected due to fake domains, etc. It's a waste of bandwidth and resources. I agree that this will not stop everything, as spam is big business. Right... so after filtering, we'll suffer through SPF, DomainKeys, etc... and each will fail to stop the problem Remember, spam isn't SPFs selling point - it is forged senders... but all these break in subtle ways with forwarding, and/or have other issues. And unfortunately, a some of that money winds up in the ISPs pockets... Thats why netblocks (or the threats of same) used to be resorted to... -- Richard Nelson
	to forum · permalink · · 2004-08-18 19:54:27 ·
en102 Canadian, eh? join:2001-01-26 Valencia, CA ·RoadRunner Cable ·DSL EXTREME	No... you're missing the point... ) I am not a business ) I have personal web based mail, as does my ISP, my company and groups I do volunteer work for DO NOT ! ) Some of the groups I volunteer for DO NOT have VPNs setup ) I have a VPN to work - unfortunately it is Windows only - there is a hack to do similiar on Linux, but it is NOT supported - and often broken. A) Get your company to get up to date, with either web based access or VPN based access. If they require you to access remotely, then they should be providing a reasonable/secure access method. If your answer is for me to become a business - upgrade my phone and DSL (usually both have to be done) to work around poorly planned and implimented filters by ISPs - and lack of decent company support.... then too much of your income comes from the ISP/telco side. Work with your ISP, they might give you port 25 for no charge. While I agree that there are going still going to be holes in almost any fix, and blocking port 25 is only a bandaid to a much more serious problem. Good for them ! Do they also allow authenticated sending from outside their network ? Yes!
	to forum · permalink · · 2004-08-19 12:30:34 ·


Sunday, 08-Nov 13:53:56	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. republican-creole page compression OFF