[unisog] Port 25 blocking - on the

Wyman Miles wm63 at cornell.edu
Fri Apr 29 18:18:00 GMT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I went through this as mail admin at Rice.  The eventual plan, launched 
over my objections, was to run another SMTP instance on port 2525.  We 
required TLS and AUTH.

In my mind, providing a non-standard mail port is to knowingly circumvent 
the security policies of someone else's network.

If they'll pass 587/tcp, great.  Require TLS and AUTH and be happy.

If not, two roads present themselves.  Either use VPN or Web mail over 
HTTPS, depending on the demands and savvy of the user.

Many networks are even blocking VPN protocols, so that leaves Web mail.

If for some strange reason, the remote network is hostile to HTTPS, do 
without mail.

Ethical questions aside, more and more security appliances can happily 
inspect the application layer at increasingly close to wire speeds.  It's 
only a matter of time before rules change from "disallow 25/tcp" to 
"disallow e-mail"

Wy

- --On Friday, April 29, 2005 11:44 AM -0400 Paul Ryan
<pryan at rogers.wave.ca> 
wrote:

> Hi - I am doing a study on blocking port 25 outbound on our cable modems
> with the exceptions of approved mail servers. What techniques are used by
> the colleges/universities to workaround this - port 587,465,webmail etc ?
>
>
>
> best regards,
>
> Paul
>
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog



Wyman Miles
Senior Security Engineer
Cornell University, Ithaca, NY
(607) 255-8421
-----BEGIN PGP SIGNATURE-----
Version: Mulberry PGP Plugin v3.0
Comment: processed by Mulberry PGP Plugin

iQA/AwUBQnJ6WcRE6QfTb3V0EQLgtQCg5+b/ItDHU3i8JTGcWdMWTfQdPD4AoPky
v/qWJKyRJaMJ/z9uS2ge2XkK
=12Ja
-----END PGP SIGNATURE-----



More information about the unisog mailing list