Opened 7 years ago

Closed 6 years ago

#407 closed enhancement (fixed)

Block outgoing port 25

Reported by: adehnert Owned by:
Priority: normal Milestone:
Component: mail Keywords: opionated
Cc:

Description

In order to prevent getting marked as spammers, we should possibly block outgoing port 25, so that users trying to send mail need to go through us (or an authenticated MTA elsewhere on port 587, which shouldn't cause spam reputation problems to us). This will increase the effectiveness of Postfix-level outgoing mail blockages, and would open up significant opportunities for our Postfix doing smart things like logging, rate-limiting, etc..

This was discussed:

  • -c scripts -i trac-#406 on 12/19/14
  • -c scripts-root -i p on 8/6/14
  • -c scripts-root -i m on 9/9/14

Change History (3)

comment:1 Changed 7 years ago by adehnert

I believe at this point there's something resembling consensus this would be fine. If any maintainers object, please say so (including on this ticket, so it's easy to find the record of it). A prerequisite is probably doing some logging to identify users currently depending on outgoing port 25, and either grandfathering them or working with them to stop doing so.

comment:2 Changed 7 years ago by quentin

We are already currently logging to syslog every time a user makes a direct port 25 connection; I object to implementing this plan insofar as I believe we should do analysis of those logs before we move directly to blocking.

Also we probably want to allow connections to outgoing-auth, since I know some users use that path for mail submission. Not sure how to do that without allowing unauth outgoing, though. :/

comment:3 Changed 6 years ago by andersk

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in r2700.

Note: See TracTickets for help on using tickets.