[AusNOG] SMTP Submission port 587 discussion / request
Stephen Gillies
max at 3rdbasenetworks.net.au
Thu Aug 19 14:44:56 EST 2010
Dear service providers and network people!
I'm a Security Consultant specialising in the ISP and content provider
market. I'm currently consulting to a large broadband provider with the
view to addressing subscriber originating SPAM due to malware infections.
During this engagement I've noticed the Australian ISP industry has a
varying attitude to SMTP submission TCP port 587.
Port 25 outgoing connections, block or not?
===========================================
It is common practice for Australian ISPs to block outgoing port 25
connections. Currently, to address the need for subscribers with
multiple ISP email accounts to send email from an off-network email
address, all Australian broadband providers offer SMTP mail relay services.
The methodology supporting the blocking of port 25 is to limit the
ability for subscriber PCs infected with malware to send SPAM.
Upholding this view, the Internet Industry Association of Australia
(iia.net.au) provides the following Best Practice statement:
"Where technically and commercially viable, operators of equipment (such
as LNS or RAS hosts) which terminates user sessions with dynamically
allocated addresses MUST cause such sessions' outgoing connections to
be dropped where they are attempting to contact a remote host on TCP
port 25."
So blocking outgoing 25 is good, how do off-network users send email?
====================================================================
Internationally, the implementation of SMTP submission TCP port 587 is
widespread, and many blacklist maintainers suggest ISPs use SMTP
submission(1).
A number of ISPs offer port 587 SMTP submission access, compliant with
RFC2476 and compatible with most (if not all) mail servers. ISPs
confirmed to support RFC2476 include iiNet, TPG, Westnet and almost all
web mail and freemail providers (google, yahoo!, etc).
Finally compliance with RFC2476 is generally accepted as Best Practice,
documented by the Messaging Anti-Abuse Working Group(2). That's MAAWG
for short. ;)
A request to all Australian ISPs
================================
I'd like to suggest the implementation of RFC2476 across all Australian
broadband networks so as to provide end user subscribers the option of
using SMTP submission via TCP port 587.
This change would enable subscribers to use one setting for outgoing
SMTP connectivity regardless of their network location.
But what do I get out of that as an ISP?
========================================
As of December 2009 over 72% of Australian households report access to
the Internet. Mobile wireless via USB modem is the fastest growing
Internet connection technology, showing a 40% increase in December 2009
from June 2009 in Australia (ABS report, Dec 2009).
Australian ISP users are going mobile and when they do their ability to
send email using Microsoft Outlook is impacted by port 25 being blocked
by their secondary provider. Mobile devices running Apple iOS and mobile
devices running Android all support RFC2476.
In many cases blocking port 25 results in a call to Customer
Service/Support firstly for the secondary provider, and often to the
primary provider as well with the user complaining about an inability to
send email.
In the worst case the subscriber churns to a single provider who can
offer both mobile and fixed line services with the one email setting.
As the most popular email clients (ie, Outlook) support only one
outgoing SMTP server, the recommendation to enable outgoing SMTP
Authentication and changing the outgoing submission from Port 25 to Port
587 results in (at worst) a single support call and (hopefully) happy
customers who do not need to change their email client settings once
activated.
Google and Yahoo! have recognised this benefit, and provide
authenticated outgoing submission on TCP port 587 as their standard
email configurations(3).
Sounds like a HUGE change, what impact does it have on my network?
==================================================================
For most mail servers it's a simple task of uncommenting the submission
port in the configuration file. In postfix it's the
/etc/postfix/master.cf file.
Combined with a firewall rule to allow incoming TCP port 587 and a load
balancing rule (for some) there is no other impact on your mail
infrastructure.
OK, I'll do it. Now what?
=========================
Change your email FAQ and let me know you're now providing SMTP
submission access for off-network subscribers, I'll start tracking
Australian RFC2476 compliant ISP providers. I'll also commit to
delivering a paper on the topic at a future relevant conference.
Comments?
regards
Stephen 'max' Gillies
3rd Base Networks - ISP Security Consultancy and Advisory
max at 3rdbasenetworks.net.au
(1) http://www.spamhaus.org/faq/answers.lasso?section=isp%20spam%20issues
(1a) http://www.uceprotect.net/en/index.php?m=4&s=0
(2) http://www.maawg.org/system/files/news/MAAWG_Port25rec0511.pdf
(3) http://mail.google.com/support/bin/answer.py?hl=en&answer=13287
More information about the AusNOG
mailing list