From: Mark Goodge (markgood-stuff.co.uk)
Date: Tue May 13 2008 - 11:30:57 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jorey Bump wrote:
> Lee Quince wrote, at 05/13/2008 11:48 AM:
>> O'well you all seem to miss the business side of it..
>>
>> Sometimes its not about what we want but what our customers ask for.!
>> i.e in this case a hotel.
>>
>> I agree not best practice, but when you have a screaming executive at
>> 3am on the support phone who cannot understand where the power button is
>> "i normally shut the lid" then you may understand..
>>
>> We will have 10,000 smtp redirect's of legitimate email everyday.. then
>> there will be the 4 users that have paid 500.00 for a room and they
>> cannot send email on the free wifi service. What is the smaller pain?
>>
>> As for the comment about who's protects the user? Well it would have to
>> be the box the laptop came in. Really is that our problem, we don't host
>> there email just provide a mechanism to send. The least we need the user
>> to change the better.
>
> Then don't block or attempt to proxy port 25. They don't need you to
> supply an MTA in order to send email. They already have an email
> provider, as you point out. Why interfere at all, if you don't want the
> headache?

Because among the users sending mail via his wireless network will be
those with infected computers, or worse. Since he has no ability to do
anything about this after the event (since any customer with a spamming
PC will have left the hotel by the time the complaints start coming in),
  the only way he can both protect himself and act as a responsible
netizen is to proxy port 25 and filter outbound traffic to ensure that
none of it is spam/viruses/etc.

It is the responsibility of any network operator to take reasonable
steps to reduce the probability of his network being used for spam and
virus dissemination. Where the users of that network form a transient
and rapidly changing population, over whom the network operator has no
direct control, then the most practical solution is to implement
network-level controls which will serve to block the majority of any
illegitimate outbound traffic.

Since this means not allowing unrestricted outbound traffic on port 25,
the next question is how best to allow customers to send mail at all.
Given that the majority of them will be non-technical users who expect
to simply be able to switch on their laptop and send mail, without
needing to reconfigure it in any way in order to do so (and, if it's a
locked-down company-owned machine subject to the restrictions of their
own IT department, may well not have the ability to change the settings
even if they knew how). Again, the most practical solution is to
intercept outbound traffic on port 25 and act as a transparent proxy so
that the customer can send mail whatever the settings on their computer.
This is a solution commonly used by wireless hotspot providers (and even
some consumer ISPs), so it's not as if the OP here is asking for
anything obscure or unreasonable. In fact, it's so common that I'm
surprised some of the respondents in this thread seem to be unaware of it!

The real problem is that some of his customers will be using
authenticated SMTP on port 25. That's wrong, by a strict reading of the
relevant RFCs - if they're using authenticated SMTP, they should be
using port 587, which is intended for authenticated SMTP, rather than
port 25, which is for anonymous SMTP. So a technically correct response
would be to leave port 587 open, proxy anonymous SMTP on port 25 and let
users who are incorrectly trying to authenticate on port 25 suffer the
consequences. But the technically correct response isn't always the best
business response, especially when your customers are paying to use your
facilities and, if they find them unusable, will simply go elsewhere.
Again, it has to be borne in mind that the actual user may well not be
responsible for their own incorrect configuration - it may be a
requirement of their own IT department or ISP.

What the OP appears to be looking for is a solution to the problem of
users trying to authenticate on a port that they should not authenticate
on, in order to allow them to send mail anyway. If the answer is "It
can't be done with Postfix", then fine - that's an appropriate answer on
this list (although I'm pretty sure it's the wrong one). But telling him
that he shouldn't be doing that isn't an appropriate answer, because
this isn't a list for discussing best business practice for wireless
hotspot operators, it's a list for getting practical help with using
Postfix. Advice which addresses the technical issue is more likely to be
helpful than advice which attempts to address the marketing issues.

Mark

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]