|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Alexey Lobanov (A.Lobanov
cro-rct.ru)
Date: Wed Jan 30 2008 - 10:03:38 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi all.
30.01.2008 17:55, Terry Carmen пишет:
> I've never seen a business that had more than a few employees that
> *didn't* block outbound port 25 from most workstations.
As a former ISP security officer, I'd seen a business with 50+
workstations and single NATting soapbox router allowing everything. They
were hunting for mail worms by disconnecting parts of their LAN and
asking me for SMTP port monitoring :-)
> When dealing ISPs, the terms are in the contract. They have no right to
> block anything not specifically mentioned.
In practice, they do it. Moreover, small-scale ISP's like to do a worse
thing: they intercept 25/tcp and route it to their own mailserver.
Breaking SMTP TLS and SMTP AUTH both effectively and silently.
Live example from one of my servers in Ukraine:
aalobolon:~$ telnet gmail-smtp-in.l.google.com 25
Trying 72.14.221.114...
Connected to gmail-smtp-in.l.google.com.
220 sklo.kiev.ua mail server RIKO
quit
221 2.0.0 Bye
Connection closed by foreign host.
aalobolon:~$ date
Wed Jan 30 17:49:22 EET 2008
The standard workarounds for travel warriors are also known for many years:
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
submission inet n - n - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
I'd never seen 465/tcp or 587/tcp blocked or intercepted.
Alexey
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]