Postfix authentication to ComCast port 587
Ben Scott
dragonhawk at gmail.com
Tue Jan 20 12:13:48 EST 2009
On Tue, Jan 20, 2009 at 9:19 AM, Bayard Coolidge <n1ho at yahoo.com> wrote:
> Apparently they view ANY attempts to transmit e-mail on Port 25 as spam
> - the fact that they never bothered to document to its paying users
> (like you and me) that they wanted us to use Port 587 instead is ...
They actually do document this, but it's all couched in terms of
Windows mail client configuration, so you prolly ignored it.
And the fun part about unauthenticated SMTP is that they have no
easy way of identifying the legitimate users still using the old
school methods. (Comcast gave up on tracking CPE MAC addresses a long
time ago, so they have no way of telling you apart from the many other
people on your optical node.) Scraping the email addresses out of the
mail traffic is not feasible because of spam.
> From the discussion here on this list when I whined about about it,
> it seems that Port 25 is the default for Windows spamming machines ....
Umm... spammers, like mail operators, have found that sending mail
to ports other than port 25 highly reduces the delivery rate of mail.
This applies to Unix hosts, too. :-) It is true that most spam comes
from compromised Windows boxes, though.
Comcast, like many ISPs these days, is not allowing consumer
computers to send "direct to MX" because the overwhelmingly vast
majority of such mail is spam. They're requiring sender
authentication to help track spam that gets relayed through their mail
exchangers. They're using port 587 because that's the RFC specified
port for mail submission.
Comcast be in the process of deploying TCP/25 blocking throughout
their entire consumer network, to help stop spam sooner. This is
actually a good idea.
There's a few different reasons why they might want to reject mail
submission via TCP/25, including performance gains through blocking
blind spm, attack surface reduction, pig-headed standards compliance,
andeasier diagnostics, but the big one would be it would mean they
wouldn't have to worry about making TCP/25 exceptions for their relay
servers throughout their network. This might actually be a good idea
in the long run, but it hurts now.
-- Ben
More information about the gnhlug-discuss
mailing list