[Info-vax] SMTP server using port 587 outgoing?

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Thu Sep 11 19:27:24 EDT 2014 

On 2014-09-11 22:30:34 +0000, David Froble said:

> Stephen Hoffman wrote:
>> 
>> You're about the billionth person to discover that trying to run a mail 
>> server on a dynamic IP
> 
> Ok, I'm curious.  I didn't see anything that mentioned a dynamic IP 
> service.  Possible I wouldn't recognize it if I saw it ....
> 
> How did you determine that he was using a dynamic IP service?


In aggregate, trouble with a mail server, encountering ISP port blocks, 
and being forced over to the TCP port 587 submission port by ISP 
requirements, which strongly implies dynamic IP.

ISPs place port blocks on TCP port 25 outbound (and often also TCP 25 
inbound) across their dynamic IP address pools as a way to contain spam 
engines.

ISPs can also add their dynamic IP address pools into the policy block 
lists, which causes many mail servers to reject mail to or from those 
pools.

ISPs usually don't place port blocks on static IP, or they're amenable 
to removing those port blocks upon request — which means that questions 
involving static IP service tiers usually don't get posted.

This also serves to differentiate the static tier of service from the 
dynamic tier, but that's fodder for another discussion.

For folks with private networks and firewalls, your own network 
firewall should do the same thing as this ISP is doing, BTW.   Program 
the firewall to squawk if a "new" mail server lights up somewhere on 
your network; if anything tries to connect from TCP port 25 outbound.  
Also block inbound connections to all but designated mail severs.  It's 
usually best to block non-encrypted POP (TCP 143) and IMAP (TCP 110) 
traffic at the firewall, too.  (This'll block all but local access to a 
VMS mail server with TCP/IP Services, as there's no secure option.)

There's a reasonable chance that the local DNS is misconfigured, too; 
public and private DNS should be verified.  But then VMS tends to be 
blind to bad DNS — systems that make use of secure protocols tend to 
get cranky about bad DNS.   Other operating systems are much less 
forgiving about invalid DNS in general.   The settings used within many 
of the SMTP servers will also detect bad DNS configurations; 
Spamassassin and other SMTP-related filtering tools can and variously 
do use DNS as a diagnostic to identify and reduce the volume of spam.


Some related reading:

SMTP and dynamic IP: <http://labs.hoffmanlabs.com/node/1541>
Dynamic DNS: <http://labs.hoffmanlabs.com/node/1711>
Static and Dynamic IP: <http://labs.hoffmanlabs.com/node/1875>


-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list