[Dshield] ISP's not blocking egress 25/tcp

James C. Slora Jr. Jim.Slora at phra.com
Sat Jan 24 13:08:33 GMT 2004


On Thu, 22 Jan 2004 16:51:59 +0100 Colin Simons wrote:

> ... spent some considerable time pinning it down to an outbound port 25
block.

> Hopefully I will not be forced to give every travelling worker full VPN
access
> simply to be able to transfer email!

One simple answer is to have your traveler use set his mail client to use
the local ISP's SMTP server but use your own mail server for POP3. You can
probably set everything up identically to what you are using, but just
change the SMTP server - that way the mail is still "From" your domain even
though you are using someone else's outbound services.

If the local ISP requires SMTP authorization, configure that. If they check
"From" addresses on outbound mail and reject mismatches, there are
workarounds for this too - I don't recall the specifics, though.

The ISP's SMTP shouldn't cause any problems unless your user sends mail to
some rabid domain that rejects mail with a "from" address that does not
match the domain of the originating SMTP server. These exist but are rare
and IMO are so committed to living with false positives that they are
usually not worth worrying about. It may earn a couple of extra points in
someone's spam filtering system, but not enough to warrant a block except by
the zealots.

You could also set up a separate VPN that grants only SMTP/POP3 access.






More information about the list mailing list