From: Jorey Bump (listjoreybump.com)
Date: Tue May 13 2008 - 12:48:58 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mark Goodge wrote, at 05/13/2008 12:30 PM:

> Because among the users sending mail via his wireless network will be
> those with infected computers, or worse. Since he has no ability to do
> anything about this after the event (since any customer with a spamming
> PC will have left the hotel by the time the complaints start coming in),
> the only way he can both protect himself and act as a responsible
> netizen is to proxy port 25 and filter outbound traffic to ensure that
> none of it is spam/viruses/etc.

He can block port 25, and leave it at that.

> It is the responsibility of any network operator to take reasonable
> steps to reduce the probability of his network being used for spam and
> virus dissemination.

Agreed.

> Again, the most practical solution is to
> intercept outbound traffic on port 25 and act as a transparent proxy so
> that the customer can send mail whatever the settings on their computer.
> This is a solution commonly used by wireless hotspot providers (and even
> some consumer ISPs), so it's not as if the OP here is asking for
> anything obscure or unreasonable. In fact, it's so common that I'm
> surprised some of the respondents in this thread seem to be unaware of it!

We're all *too* aware of the practice, as we're often left dealing with
the consequences.

> So a technically correct response
> would be to leave port 587 open,

Yes.

> proxy anonymous SMTP on port 25

No!

> and let
> users who are incorrectly trying to authenticate on port 25 suffer the
> consequences. But the technically correct response isn't always the best
> business response, especially when your customers are paying to use your
> facilities and, if they find them unusable, will simply go elsewhere.
> Again, it has to be borne in mind that the actual user may well not be
> responsible for their own incorrect configuration - it may be a
> requirement of their own IT department or ISP.

Precisely. Maybe a user has been authenticating on port 25 with STARTTLS
enabled. It may stop working in a hotspot, but at least it's still
secure. The last thing we need is a hotel clerk telling a user to
"disable TLS, our super smart proxy will send the mail for you!"

> What the OP appears to be looking for is a solution to the problem of
> users trying to authenticate on a port that they should not authenticate
> on, in order to allow them to send mail anyway. If the answer is "It
> can't be done with Postfix", then fine - that's an appropriate answer on
> this list (although I'm pretty sure it's the wrong one). But telling him
> that he shouldn't be doing that isn't an appropriate answer, because
> this isn't a list for discussing best business practice for wireless
> hotspot operators, it's a list for getting practical help with using
> Postfix. Advice which addresses the technical issue is more likely to be
> helpful than advice which attempts to address the marketing issues.

The OP is trying to reduce outgoing spam from his hotspot, which is
laudible, but wants to overcome the resulting issues by intercepting or
replaying user login credentials, which is completely unacceptable (and
impossible, in the case of encrypted connections). Blocking outgoing
connections to port 25 is an acceptable, if imperfect, solution. But
hijacking the connection can create a multitude of problems for everyone:

- User login credentials may be exposed.

- Nontechnical users may be encouraged to alter mail client settings to
an insecure configuration.

- The hotspot IP may become blacklisted, causing messages to bounce that
wouldn't have if the sender's relay had been used.

- SPF (or other sender/domain authentication) checks may cause the
message to bounce, if it appears to originate from the hotspot IP
address instead of an approved server for that domain.

- A hotspot's poorly implemented SMTP proxy could be a significant
source of backscatter. I wouldn't be surprised if this explains the
recent surge. In this case, we would all be better off if the hotspot
merely blocked port 25. Backscatter from spam with forged sender
addresses can ruin a legitimate account.

Current best practice suggests blocking (not proxying) outgoing
connections to port 25 to stop spam. This will allow users to use port
587 or webmail, if either is provided by the email service provider.
Tampering with the connection via a proxy is not likely to be a good
business decision, considering the potential problems. It isn't a good
technical solution, either.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]