On Sat, 22 Jun 2002, Lucky Green wrote:
I am limiting relaying on port 25 smtp to authorized users by using Cyrus-SASL, which integrates cleanly with postfix + TLS as the MTA. Since Outlook only provides the plaintext variant of SASL authentication, my MTA is configured to not offer smtp AUTH as an option until after the TLS connection has been established to prevent eavesdroppers from capturing the relaying authentication password.
We run the main MTA for my university this way (of course it will relay without authentication if the client source address is within the university IP ranges), using sendmail and cyrus-sasl. It's my impression that many US universities are starting to do this. We started it as a one-off MTA handling submission of mail for travelers, then realized that the regular MTA could just provide this service. It also does Kerberos authentication, which I use (though not many MUAs support it).
Since more and more misguided ISP's are flat out blocking outgoing connections to port 25 from inside their network, I have postfix listening at a higher port number in addition to port 25, just as many hosts today are running sshd on several ports to help compensate for similarly misguided corporate firewall policies.
The obvious port is 587, the "submission" port (see RFC 2476), which in fact is the one that MUAs "should" use, rather than 25 (we support it, I'm submitting this mail using it, via my home ISP). Of course if it actually becomes popular those misguided ISPs will block it too ... - RL "Bob" --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com