From: mouss (moussnetoyen.net)
Date: Tue May 13 2008 - 13:47:23 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mark Goodge wrote:
>
> Because among the users sending mail via his wireless network will be
> those with infected computers, or worse. Since he has no ability to do
> anything about this after the event (since any customer with a
> spamming PC will have left the hotel by the time the complaints start
> coming in), the only way he can both protect himself and act as a
> responsible netizen is to proxy port 25 and filter outbound traffic to
> ensure that none of it is spam/viruses/etc.

redirecting traffic without the authorization of the user has a name:
hijacking.

I don't know for you, but if my lane goes to Egypt instead of Tunisia
because someone decided that the wheather is better there, I know what I
will do.

>
> It is the responsibility of any network operator to take reasonable
> steps to reduce the probability of his network being used for spam and
> virus dissemination.

of course. but tracking criminals never meant annoying honest people,
except in dictatorial governments.

> Where the users of that network form a transient and rapidly changing
> population, over whom the network operator has no direct control, then
> the most practical solution is to implement network-level controls
> which will serve to block the majority of any illegitimate outbound
> traffic.

Not at all. If I pay for a service, I want that service. the fact that
my neighbourghs are criminals changes nothing.

>
> Since this means not allowing unrestricted outbound traffic on port
> 25, the next question is how best to allow customers to send mail at
> all. Given that the majority of them will be non-technical users who
> expect to simply be able to switch on their laptop and send mail,
> without needing to reconfigure it in any way in order to do so (and,
> if it's a locked-down company-owned machine subject to the
> restrictions of their own IT department, may well not have the ability
> to change the settings even if they knew how). Again, the most
> practical solution is to intercept outbound traffic on port 25 and act
> as a transparent proxy so that the customer can send mail whatever the
> settings on their computer. This is a solution commonly used by
> wireless hotspot providers (and even some consumer ISPs), so it's not
> as if the OP here is asking for anything obscure or unreasonable. In
> fact, it's so common that I'm surprised some of the respondents in
> this thread seem to be unaware of it!

oh no. while it is good practice to block port 25 (both out and in),
traffic hijacking is bad. if my wife's MUA gives her login:password to
an arbitrary sever, I consider that simply as an attack, even if the
problem is in the MUA. and I reserve my right to react to that, in any
form ;-p

oh please come on. it's like if SPs and providers were so secure that we
can count on them. a tcpdump shows many funny things, and experience
with SPs shows even more problems.

>
> The real problem is that some of his customers will be using
> authenticated SMTP on port 25. That's wrong, by a strict reading of
> the relevant RFCs - if they're using authenticated SMTP, they should
> be using port 587, which is intended for authenticated SMTP, rather
> than port 25, which is for anonymous SMTP.

while 587 is recommended, using port 25 for submission is more than
acceptable.

> So a technically correct response would be to leave port 587 open,
> proxy anonymous SMTP on port 25 and let users who are incorrectly
> trying to authenticate on port 25 suffer the consequences. But the
> technically correct response isn't always the best business response,
> especially when your customers are paying to use your facilities and,
> if they find them unusable, will simply go elsewhere. Again, it has to
> be borne in mind that the actual user may well not be responsible for
> their own incorrect configuration - it may be a requirement of their
> own IT department or ISP.

Blocking port 25 creates no problem, provided that the SP makes it easy
to override for those who want to send directly. for example, free.fr
allows customers to enable port 25 on their web UI (requires rebooting
the freebox, but this is not too much). the consequence is that most
people who don't know what this means will have the port blocked, which
is good.

>
> What the OP appears to be looking for is a solution to the problem of
> users trying to authenticate on a port that they should not
> authenticate on, in order to allow them to send mail anyway. If the
> answer is "It can't be done with Postfix", then fine - that's an
> appropriate answer on this list (although I'm pretty sure it's the
> wrong one). But telling him that he shouldn't be doing that isn't an
> appropriate answer, because this isn't a list for discussing best
> business practice for wireless hotspot operators, it's a list for
> getting practical help with using Postfix. Advice which addresses the
> technical issue is more likely to be helpful than advice which
> attempts to address the marketing issues.

I am sure OP can manage to do whatever he wants, but I confess that I do
not understand what he wants to do.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]