Refuse mail from hosts with closed port 25

classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Refuse mail from hosts with closed port 25

Paul van der Vlis
Hello,

How can I refuse mail from hosts who don't have an open port 25?

What do you think from such a check?

Is there more needed?  E.g. a list of exceptions for some big providers?

Background:
I've investigated why somebody did not receive mail from a virtual
machine, and I found out her provider (reviced.nl) refuses all mail from
a host what does not have port 25 open. I have much problems with spam
and I would like to reduce it.



--
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/
Reply | Threaded
Open this post in threaded view
|

Re: Refuse mail from hosts with closed port 25

John Peach
On 9/16/19 8:47 AM, Paul van der Vlis wrote:
> Hello,
>
> How can I refuse mail from hosts who don't have an open port 25?
>
> What do you think from such a check?


DO NOT DO THIS!

A significant number of installations will use different servers for
inbound and outbound email. What is worth checking, is that the sender
has MX records.

>
> Is there more needed?  E.g. a list of exceptions for some big providers?
>
> Background:
> I've investigated why somebody did not receive mail from a virtual
> machine, and I found out her provider (reviced.nl) refuses all mail from
> a host what does not have port 25 open. I have much problems with spam
> and I would like to reduce it.
>
>
>




--
John
PGP Public Key: 412934AC
Reply | Threaded
Open this post in threaded view
|

Re: Refuse mail from hosts with closed port 25

Wesley Peng-4
In reply to this post by Paul van der Vlis
Hi

on 2019/9/16 20:47, Paul van der Vlis wrote:
> How can I refuse mail from hosts who don't have an open port 25?
>
> What do you think from such a check?

You shouldn't.

Many email systems have delivery agent and MTA to be separated.
That's to say, they get incoming mails from MTA which has port 25
opened, but deliver outgoing messages via another gateway who doesn't
have port 25 enabled.

regards.
Reply | Threaded
Open this post in threaded view
|

Re: Refuse mail from hosts with closed port 25

Jim Reid
In reply to this post by Paul van der Vlis


> On 16 Sep 2019, at 13:47, Paul van der Vlis <[hidden email]> wrote:
>
> How can I refuse mail from hosts who don't have an open port 25?
>
> What do you think from such a check?

It’s a stunningly bad idea. Don’t do it.

Many enterprises and cloud-based mail providers have discrete servers/systems handling inbound and outbound mail. In these setups, the servers sending you email won’t have a listener on port 25 -- or any other port -- for inbound email.

> Is there more needed?  E.g. a list of exceptions for some big providers?

It’ll be impractical to maintain a workable whitelist. There will probably be too many false positives and negatives. And the approach probably won’t be an effective anti-spam measure either. But if you want to try the experiment and report back, go ahead. It’ll only be you and your customers who will have to deal with the consequences.

Reply | Threaded
Open this post in threaded view
|

Re: Refuse mail from hosts with closed port 25

Paul van der Vlis
In reply to this post by John Peach


Op 16-09-19 om 14:53 schreef John Peach:

> On 9/16/19 8:47 AM, Paul van der Vlis wrote:
>> Hello,
>>
>> How can I refuse mail from hosts who don't have an open port 25?
>>
>> What do you think from such a check?
>
>
> DO NOT DO THIS!
>
> A significant number of installations will use different servers for
> inbound and outbound email.

I know a provider what is actually using this. I guess only the big
providers will have different servers for inbound and outbound email,
and you can make a list of them.

> What is worth checking, is that the sender has MX records.

Hmm, interesting idea!
Maybe you have some lines on how to configure this?

But, I am affraid many hosting providers will not have a MX record on
the hosting server, so you don't get your "forgotten password" from the CMS.

With regards,
Paul


--
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/
Reply | Threaded
Open this post in threaded view
|

Re: Refuse mail from hosts with closed port 25

Kevin A. McGrail
In reply to this post by Jim Reid
On 9/16/2019 9:03 AM, Jim Reid wrote:
> On 16 Sep 2019, at 13:47, Paul van der Vlis <[hidden email]> wrote:
>
> How can I refuse mail from hosts who don't have an open port 25?
Paul, I wrote a module which I need to update on Perl's CPAN called
Net::validMX that we use to reject IPv4 domains that aren't properly
setup to receive mail from sending to us.  We've used it in production
with MIMEDefang.  And as a small, boutique ESP for over a decade, likely
closer to 15 years with no complaints/FPs of note.
Regards,
KAM
Reply | Threaded
Open this post in threaded view
|

Re: Refuse mail from hosts with closed port 25

Jim Reid
In reply to this post by Paul van der Vlis


> On 16 Sep 2019, at 14:17, Paul van der Vlis <[hidden email]> wrote:
>
>> A significant number of installations will use different servers for
>> inbound and outbound email.
>
> I know a provider what is actually using this. I guess only the big
> providers will have different servers for inbound and outbound email,

Guess again. Hint: you might be mistaken.

> and you can make a list of them.

Guess again. Hint: you might be mistaken.


Reply | Threaded
Open this post in threaded view
|

Re: Refuse mail from hosts with closed port 25

Scott Kitterman-4
In reply to this post by Paul van der Vlis
On Monday, September 16, 2019 9:17:00 AM EDT Paul van der Vlis wrote:
> I know a provider what is actually using this. I guess only the big
> providers will have different servers for inbound and outbound email,
> and you can make a list of them.

This is not true.  My domain is about as tiny as they come and the inbound and
outbound servers are different for reasons that make sense to me.  I'm sure I'm
not the only one.

Scott K

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Refuse mail from hosts with closed port 25

Paul van der Vlis
Op 16-09-19 om 15:25 schreef Scott Kitterman:
> On Monday, September 16, 2019 9:17:00 AM EDT Paul van der Vlis wrote:
>> I know a provider what is actually using this. I guess only the big
>> providers will have different servers for inbound and outbound email,
>> and you can make a list of them.
>
> This is not true.  My domain is about as tiny as they come and the inbound and
> outbound servers are different for reasons that make sense to me.  I'm sure I'm
> not the only one.

The outbound server has a closed port 25?

With regards,
Paul



--
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Refuse mail from hosts with closed port 25

Wietse Venema
Paul van der Vlis:
> The outbound server has a closed port 25?

More likely, blocked by firewall.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Refuse mail from hosts with closed port 25

Bill Cole-3
In reply to this post by Kevin A. McGrail
On 16 Sep 2019, at 9:17, Kevin A. McGrail wrote:

> On 9/16/2019 9:03 AM, Jim Reid wrote:
>> On 16 Sep 2019, at 13:47, Paul van der Vlis <[hidden email]>
>> wrote:
>>
>> How can I refuse mail from hosts who don't have an open port 25?
> Paul, I wrote a module which I need to update on Perl's CPAN called
> Net::validMX that we use to reject IPv4 domains that aren't properly
> setup to receive mail from sending to us.  We've used it in
> production
> with MIMEDefang.  And as a small, boutique ESP for over a decade,
> likely
> closer to 15 years with no complaints/FPs of note.

I don't believe that Net::validMX does anything more *at the domain
level* than Postfix's built-in reject_unknown_sender_domain restriction.
Its check_email_validity() may be a bit more strict than Postfix's
built-in address sanity checks.


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Reply | Threaded
Open this post in threaded view
|

Re: Refuse mail from hosts with closed port 25

Bill Cole-3
In reply to this post by Paul van der Vlis
On 16 Sep 2019, at 9:17, Paul van der Vlis wrote:

> I guess only the big
> providers will have different servers for inbound and outbound email,
> and you can make a list of them.

Bad guess.

Many business email systems are architected this way for security
purposes (e.g. Exchange is fine for sending mail out but you really
don't want it accepting email from the Internet directly...) This is
especially common with older businesses who got generous IPv4
allocations decades ago, however I have worked with mail systems serving
less than 500 employee-users of companies with /29 allocations that have
mail going out from a shared NAT address but coming in via a dedicated
IP.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Reply | Threaded
Open this post in threaded view
|

Re: Refuse mail from hosts with closed port 25

Kevin A. McGrail
In reply to this post by Bill Cole-3

Fair enough.  Maybe he should turn that feature on then :-)

On 9/16/2019 9:59 AM, Bill Cole wrote:

I don't believe that Net::validMX does anything more *at the domain level* than Postfix's built-in reject_unknown_sender_domain restriction. Its check_email_validity() may be a bit more strict than Postfix's built-in address sanity checks.
--
Kevin A. McGrail
CEO Emeritus

Peregrine Computer Consultants Corporation
10311 Cascade Lane
Fairfax, VA 22032

http://www.pccc.com/

703-359-9700 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
[hidden email]

https://www.linkedin.com/in/kmcgrail

Reply | Threaded
Open this post in threaded view
|

Re: Refuse mail from hosts with closed port 25

Benny Pedersen-2
Kevin A. McGrail skrev den 2019-09-16 16:19:
> Fair enough.  Maybe he should turn that feature on then :-)

if you do you cant recieve email from me

validMX is strict to say domains without MX is invalid domain ?

oh and MX failback is not a rfc ?

be carefull testing with "sendmail -bv [hidden email]" and check how
badly sendmail do it
Reply | Threaded
Open this post in threaded view
|

Re: Refuse mail from hosts with closed port 25

Bill Cole-3
On 16 Sep 2019, at 11:00, Benny Pedersen wrote:

> Kevin A. McGrail skrev den 2019-09-16 16:19:
>> Fair enough.  Maybe he should turn that feature on then :-)
>
> if you do you cant recieve email from me
>
> validMX is strict to say domains without MX is invalid domain ?

No, it does not do that.

#check_email_and_mx.pl  [hidden email]
Check Valid MX (Net::ValidMX v2.2.0)

[hidden email]
        Valid MX? True - Passed

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Reply | Threaded
Open this post in threaded view
|

Re: Refuse mail from hosts with closed port 25

Kevin A. McGrail
In reply to this post by Benny Pedersen-2
On 9/16/2019 11:00 AM, Benny Pedersen wrote:

> Kevin A. McGrail skrev den 2019-09-16 16:19:
>> Fair enough.  Maybe he should turn that feature on then :-)
>
> if you do you cant recieve email from me
>
> validMX is strict to say domains without MX is invalid domain ?
>
> oh and MX failback is not a rfc ?
>
> be carefull testing with "sendmail -bv [hidden email]" and check how
> badly sendmail do it
Benny, you and I correspond and I use the netValidMX.  Not sure what you
are trying to say.
Reply | Threaded
Open this post in threaded view
|

Re: Refuse mail from hosts with closed port 25

Benny Pedersen-2
In reply to this post by Bill Cole-3
Bill Cole skrev den 2019-09-16 17:47:

> On 16 Sep 2019, at 11:00, Benny Pedersen wrote:
>
>> Kevin A. McGrail skrev den 2019-09-16 16:19:
>>> Fair enough.  Maybe he should turn that feature on then :-)
>>
>> if you do you cant recieve email from me
>>
>> validMX is strict to say domains without MX is invalid domain ?
>
> No, it does not do that.
>
> #check_email_and_mx.pl  [hidden email]
> Check Valid MX (Net::ValidMX v2.2.0)
>
> [hidden email]
> Valid MX? True - Passed

good

http://mailtester.com/index.php fails
Reply | Threaded
Open this post in threaded view
|

Re: Refuse mail from hosts with closed port 25

Benny Pedersen-2
In reply to this post by Kevin A. McGrail
Kevin A. McGrail skrev den 2019-09-16 17:47:

> Benny, you and I correspond and I use the netValidMX.  Not sure what
> you
> are trying to say.

Thanks to Bill showing validMX is not broken, all good with it, but
http://mailtester.com is not good, i like to be neutral with
https://www.mail-tester.com/ :=)
Reply | Threaded
Open this post in threaded view
|

Re: Refuse mail from hosts with closed port 25

Stephen Satchell
In reply to this post by Bill Cole-3
+1

Back when I was a Web Hosting monkey, I had something like 23 separate
mail servers (Plesk/qmail and CPanel/exim) trying to send mail to the
world.  After some of the servers getting blacklisted for one reason or
another, I decided to use a pair of Postfix servers to send outgoing mail.

Incoming mail was directed to another pair of Postfix servers, which
then distributed the mail internally after running it all through
Spamassassin.

The domain MX records pointed to the inbound servers.  The firewall on
the outbound servers did not allow port 25 connections from IP addresses
outside of our assigned netblocks.  I believe that the return was
"administratively prohibited", not dead air.

Why did I do this?  Traffic management and spam control to the large
mail providers -- Google, AOL, Yahoo, and about five others.  The
centralized spam control made management far easier for all outgoing
mail.  I also did traffic management based on the reports to my abuse
address.  All this work cut down on complaints, and the company fell off
a lot of DNSBLs.

The individual qmail/exim MTAs ran without my worrying about security
issues or DJB weirdness.  Oh, I also had a couple of Windows web hosts,
so they came under the umbrella, satisfying my mantra of "Never expose
Windows to the bare Internet."  (Off-topic: ACLs took care of the other
usual Windows issues.)

One other caveat: the domain names for the outbound servers were "mx1"
and "mx2", while the domain name for the inbound servers were "mail1"
and "mail2".  Reverse DNS matched.

Side note: because the hosting company sold dedicated servers, we had to
block 25 outbound from the netblocks on which those servers lived.  If
they wanted to send mail outbound, they had to use the mx1 and mx2
servers as relay.  Blocked a whole lot of spam mail from compromised web
sites.  Yes, the support people has to tell some customers how to send
up "sendmail(1)" and PHPmail to do this.  Worth the pain and trouble.

(This was more than a decade ago.  I now wrangle Cisco devices and
appliances in a lab environment -- administer only one Postfix server
now, in my home network.)

On 9/16/19 7:16 AM, Bill Cole wrote:

> On 16 Sep 2019, at 9:17, Paul van der Vlis wrote:
>
>> I guess only the big
>> providers will have different servers for inbound and outbound email,
>> and you can make a list of them.
>
> Bad guess.
>
> Many business email systems are architected this way for security
> purposes (e.g. Exchange is fine for sending mail out but you really
> don't want it accepting email from the Internet directly...) This is
> especially common with older businesses who got generous IPv4
> allocations decades ago, however I have worked with mail systems serving
> less than 500 employee-users of companies with /29 allocations that have
> mail going out from a shared NAT address but coming in via a dedicated IP.
>

Reply | Threaded
Open this post in threaded view
|

Re: Refuse mail from hosts with closed port 25

@lbutlr
In reply to this post by Paul van der Vlis
On Sep 16, 2019, at 7:17 AM, Paul van der Vlis <[hidden email]> wrote:
> I guess only the big providers will have different servers for inbound and outbound email, and you can make a list of them.

No, lots and lots of servers will have these services separated.




--
Today the road all runners come/Shoulder high we bring you home. And
set you at your threshold down/Townsman of a stiller town.

12