Mailing List Message #92249
From: Nicolas Hatier <>
Subject: Re: port 587 and authentication
Date: Thu, 16 Aug 2007 03:09:57 -0400
To: CommuniGate Pro Discussions <>

I think there's an easier way to solve this so-called loophole.

If you have a front-line AS/AV system, you are likely not wanting to accept mail on port 25. Just stop the SMTP listener on that port.
Port 587 always requires authentication, it won't accept messages headed to a local recipient with an non-local return-path.

Of course this will require the AS/AV system to do SMTH Auth too, but obviously a good system should be able to do so.


John Rudd wrote:
Karl Zander wrote:

If I recall correctly, there's a loophole in "Force SMTP AUTH for", in that if the message is headed to a local recipient (possibly only from a non-local return-path), then it wont force SMTP AUTH.

In some regard, that makes sense: remote senders can't authenticate to your systems, so why would you force them to do SMTP AUTH?  That requirement would make it so that your users can't receive any email from the outside world.

But the problem is: if you have a front-line anti-spam/anti-virus system (an appliance, a gateway host, etc.), then this loophole means that spammers and viruses can bypass that front-line system (depending upon your exact network topology).  That's bad.

The way to close this loophole is: blacklist the entire planet.  Put in your CGP blacklist range.  Then make sure your front-line system(s), any local automated mail generators, etc., are in the CGP client list.  The result is: your users will have to use SMTP-AUTH in order to submit any email, and remote senders will only be able to submit messages to your front-line systems (which will bypass the blacklist due to being in your client list; and their messages wont require SMTP-AUTH because they all have local destinations).


Nicolas Hatier
Niversoft idées logicielles

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster