[unisog] Port 25 blocking - on the

Florian Weimer fw at deneb.enyo.de
Sat Apr 30 20:43:56 GMT 2005

> I guess I have to ask "what is the real goal of blocking port 25?" Consider 
> the following:
> 1. Is the real goal  to block spam? 
> 2. Is the real goal to prevent someone on your net from having their own 
> mailer?
> I suspect the real goal is #1 but the consequence of implementing a block is 
> that #2 is impacted. I think a lot of thought on the implications of such a 
> policy has to be done.

#2 is only applicable if the user can't read documentation.  Nowadays,
most provider-independent mail servers offer submission on 587/TCP,
because AOL forced them to do so. 8-)

>>We block outbound port 25 connection requests from all but a short list of
>>known mail servers.
> Ouch. When we were hit with MyDoom and our central mail servers were clogged 
> for 60 hours, the only way to get email amongst CIRT members was by using good 
> ol' sendmail on individual workstations that did NOT connect to the clogged 
> central servers. A port block would have seriously impacted our response.

When you centralize your mail infrastructure, you definitely want to
split the incoming mail relays (that is, the externally visible MX
hosts) and your smarthosts.  As a result, you will be able to deliver
mail even if your smarthosts are swamped.  Two-way communication may
be impossible, though, and you are out of luck if your campus VoIP
infrastructure is bogged down as well. 8-(

In most cases, a CSIRT needs separate mail infrastructure anyway (for
virus filter exemption etc.).

More information about the unisog mailing list