 tim_kButtons, Bows, Beamer, Shadow, KaseyPremium,VIP
join:2002-02-02
Stewartstown, PA
kudos:13 | Blocked Ports My ISP took the easy way out and block ALL inbound ports. I can't remotely connect to my network anymore. Since they also block outbound ICMP and perhaps some other ports, I can't use ping or tracert to T/S connection problems. I have to pay for a static IP if I want any ports opened. |
|
 nixenRockin' the BoxenPremium
join:2002-10-04
Alexandria, VA | said by tim_k:
My ISP took the easy way out and block ALL inbound ports. I can't remotely connect to my network anymore. Since they also block outbound ICMP and perhaps some other ports, I can't use ping or tracert to T/S connection problems. I have to pay for a static IP if I want any ports opened.
And you're paying how much now for your connection?
It may be a case of "you get what you pay for".
-tom
--
"There are 10 types of people in the world... those who understand binary and those who don't."
"That's only 2 types of people, moron" |
|
|
|
 RadRick
join:2001-01-31
Pflugerville, TX
1 edit | reply to tim_k
maybe I'm missing something
What good does blocking port 25 on residential account do? smtp service doesn't send on port 25. it only receives on port 25. Residential customers infected with virus that has it's own smtp emgine will still be able send out junk, they just won't be able to spam other residential users that have there own mail server.
rr |
|
nixenRockin' the BoxenPremium
join:2002-10-04
Alexandria, VA | said by RadRick:
maybe I'm missing something
What good does blocking port 25 on residential account do? smtp service doesn't send on port 25. it only receives on port 25. Residential customers infected with virus that has it's own smtp emgine will still be able send out junk, they just won't be able to spam other residential users that have there own mail server.
Bzzt... Sorry, wrong.
WHat they are filtering is the ability to connect to a remote system by way of port 25. Minus that ability, your virii with SMTP engines are essentially useless.
Unless you are running a real mail server, there's just no real, valid reason to have port 25, in either direction, allowed out of a network.
-tom
--
"There are 10 types of people in the world... those who understand binary and those who don't."
"That's only 2 types of people, moron" |
|
 cowboySo Much For SubtletyPremium
join:2000-03-14
Morgan Hill, CA | said by nixen:
Unless you are running a real mail server, there's just no real, valid reason to have port 25, in either direction, allowed out of a network.
Bzzt... Sorry, wrong. (sorry, couldn't resist) 
Have you seen some of the newest spam blocking proposals - like the ones pushed by the largest of ISPs? Many of these will require port 25 access so you can use your ISP/company/etc mailserver remotely! One of the proposals calls for DNS based lists of ips that can validly send mail from that domain... without remote access and authentication, it would be impossible to send *any* mail unless you're physically on that ISPs subnet(s).
Can you say bye-bye to working from the road (as I am now) ?
--
Richard Nelson |
|
nixenRockin' the BoxenPremium
join:2002-10-04
Alexandria, VA
1 edit | said by cowboy:
said by nixen:
Unless you are running a real mail server, there's just no real, valid reason to have port 25, in either direction, allowed out of a network.
Bzzt... Sorry, wrong. (sorry, couldn't resist)
Have you seen some of the newest spam blocking proposals - like the ones pushed by the largest of ISPs? Many of these will require port 25 access so you can use your ISP/company/etc mailserver remotely! One of the proposals calls for DNS based lists of ips that can validly send mail from that domain... without remote access and authentication, it would be impossible to send *any* mail unless you're physically on that ISPs subnet(s).
Can you say bye-bye to working from the road (as I am now) ?
The proponents of that DNS scheme that you quote also note that SMTP relay service should be offered on an alternate port for roaming users to be able to access their networks. Such access would be strictly limited to authenticated users. So, no, it doesn't mean "bye-bye to working from the road".
Basically, what blocking port 25 does is returns port 25 traffic to what it should be: server to server communication. All other SMTP traffic should be done via authenticated means on alternate ports.
-tom
--
"There are 10 types of people in the world... those who understand binary and those who don't."
"That's only 2 types of people, moron" |
|
cowboySo Much For SubtletyPremium
join:2000-03-14
Morgan Hill, CA | said by nixen:
The proponents of that DNS scheme that you quote also note that SMTP relay service should be offered on an alternate port for roaming users to be able to access their networks. Such access would be strictly limited to authenticated users. So, no, it doesn't mean "bye-bye to working from the road".
Unfortunately, for me it does... I am served by one of those ISPs that can't seem to manage authenticated mail servers. The *only* access to them is via their subnet(s)  I'm not holding my breath for them to do this *and* add the recommended port 587 access... I fully expect to be out of their domain before they figure all this out
For work, I do have VPN (actually - I have it for home as well, but not everyone has the knowledge to set this up properly).
said by nixen:
Basically, what blocking port 25 does is returns port 25 traffic to what it should be: server to server communication. All other SMTP traffic should be done via authenticated means on alternate ports.
Actually, I'm in 100% agreement with you here - this what we should be striving to achieve... I'd even like to see server to server traffic encrypted and or authenticated where possible.
--
Richard Nelson |
|
nixenRockin' the BoxenPremium
join:2002-10-04
Alexandria, VA | said by cowboy:
Unfortunately, for me it does... I am served by one of those ISPs that can't seem to manage authenticated mail servers. The *only* access to them is via their subnet(s) I'm not holding my breath for them to do this *and* add the recommended port 587 access... I fully expect to be out of their domain before they figure all this out
Eef... Sorry to hear that. I'm somewhat aghast that they can't figure it out: authentication is part of the MS mail servers and is trivial to set up on the open source alternatives.
Of course, it's partly mail issues that have long caused me to assume the expense of server oriented connectivity. That way, I can run my own mail servers for friends, family and myself, and usually better than most ISPs I've had experience with (so, I shouldn't be suprised that your ISP is problematic, I guess).
-tom
--
"There are 10 types of people in the world... those who understand binary and those who don't."
"That's only 2 types of people, moron" |
|
tim_kButtons, Bows, Beamer, Shadow, KaseyPremium,VIP
join:2002-02-02
Stewartstown, PA
kudos:13 | reply to nixen
said by nixen:
said by tim_k:
My ISP took the easy way out and block ALL inbound ports. I can't remotely connect to my network anymore. Since they also block outbound ICMP and perhaps some other ports, I can't use ping or tracert to T/S connection problems. I have to pay for a static IP if I want any ports opened.
And you're paying how much now for your connection?
It may be a case of "you get what you pay for".
-tom
Few would pay as much as I do for what I get. But, it's my only broadband option besides satellite. I pay $50/mo for 256k/256k fixed wireless. |
|
nixenRockin' the BoxenPremium
join:2002-10-04
Alexandria, VA | said by tim_k:
Few would pay as much as I do for what I get. But, it's my only broadband option besides satellite. I pay $50/mo for 256k/256k fixed wireless.
Ack!
Could be worse: could be paying for ISDN.
-tom
--
"There are 10 types of people in the world... those who understand binary and those who don't."
"That's only 2 types of people, moron" |
|
RadRick
join:2001-01-31
Pflugerville, TX | reply to nixen
quote:
Bzzt... Sorry, wrong.
WHat they are filtering is the ability to connect to a remote system by way of port 25. Minus that ability, your virii with SMTP engines are essentially useless.
Unless you are running a real mail server, there's just no real, valid reason to have port 25, in either direction, allowed out of a network.
-tom
What?
Out going SMTP Mail does not use port 25. I have a real mail Server (Actually two) and the mail servers that send mail to them always use a port over 1100 or so.
I use one server for an incoming spam check relay. the second is the mail boxes and sends the outbound. port 25 is not open to this server. it sends mail just fine.
I still don't see how Blocking residential port 25 does anything but stop mail servers on residential Accounts from receiving mail. SMTP Sending will not be stopped on infected Residential Computers. they will still be able to send trash to non-residential mail servers.
rr |
|
nixenRockin' the BoxenPremium
join:2002-10-04
Alexandria, VA | said by RadRick:
quote:
Bzzt... Sorry, wrong.
WHat they are filtering is the ability to connect to a remote system by way of port 25. Minus that ability, your virii with SMTP engines are essentially useless.
Unless you are running a real mail server, there's just no real, valid reason to have port 25, in either direction, allowed out of a network.
-tom
What?
Out going SMTP Mail does not use port 25. I have a real mail Server (Actually two) and the mail servers that send mail to them always use a port over 1100 or so.
I use one server for an incoming spam check relay. the second is the mail boxes and sends the outbound. port 25 is not open to this server. it sends mail just fine.
I still don't see how Blocking residential port 25 does anything but stop mail servers on residential Accounts from receiving mail. SMTP Sending will not be stopped on infected Residential Computers. they will still be able to send trash to non-residential mail servers.
Perhaps I wasn't clear enough? What they are doing is blocking the ability to connect to port 25 outside of their networks.
-tom
--
"There are 10 types of people in the world... those who understand binary and those who don't."
"That's only 2 types of people, moron" |
|
