undefined | Better HN

0 pointsthwarted15y ago0 comments

But if your webhost was also dumb enough to block port 25 outbound on their firewall, would you say that Netscreen Firewalls are stupid?

Blocking outbound port 25 has legit uses, it keeps from being able to submit mail with the only information about the source of the mail being the IP address. Port 25 is meant for MTA to MTA mail transfers. Outbound 587, named "submission" is the port you can connect to at your email service provider to drop off outbound mail. This port is required to support authentication before accepting mail. This provides an additional layer of auditing and access control, and thus a way to easily turn off problem senders, on a per-account basis, should the need arise.

A smart webhost would block outbound port 25 and require you to send mail authenticated through an MTA provided for the purpose. But of course, chances are most people here are not using purely "web hosting services", but rather dedicated machines or VMs that run their own MTAs. However, any decent MTA can be configured to use a relay host and authentication, which is fine unless you're sending massive volumes of email (in which case, why are you sending it from a rinkydink webhost or single VM?)

0 comments

2 comments · 1 top-level

muppetman15y ago· 1 in thread

Was it not obvious my point wasn't about port 25?

Port 80, port 443, port whatever-you-need-to-not-be-blocked.

You can't blame the Netscreen Firewall for doing what it was told - that's my point. mod_security isn't dumb, stupid, annoying. The rulset deployed can be.

thwartedOP15y ago

I was responding to the side point about someone being "dumb" for blocking port 25. My response offers no opinion on the quality of firewall software, Netscreen branded or not.

j / k navigate · click thread line to collapse