[afnog] Mail servers (was: Natting)

SM sm at resistor.net
Fri Oct 17 15:29:50 UTC 2008 

Hi Peter,
At 05:23 17-10-2008, Peter Nyamukusa wrote:
>I am not sure how your email is system is setup but looking at two
>scenarios, in the first you have possibly several thousand broadband
>customers and we all know these guys are capable of anything and you don
>what them sending email directly or receiving directly from the internet and
>hence therefore you would need to apply an ACL somewhere in your network (my
>concept is the closer to the source the better) this will make sure only the
>servers you permit can only do SMTP in/out and you don't have to spend every
>day removing blacklisted IPs, thus this the first level of filtering.

That's a different scenario from the one I commented about.  In such 
a case you want to block outgoing TCP 25 closer to the source as you 
mentioned above.  I won't go into the advantages and disadvantages of 
applying such a policy in this region.  I noticed that some ISPs use 
reverse DNS formats which doesn't help SMTP filtering.

If your customers are allowed to run mail servers (incoming SMTP), 
you cannot filter that traffic.  My opinion is that you should not 
even do NAT there (see reasons below).

>Moving on to the second layer of filtering, for the server IPs that you have
>permitted SMTP from the internet & Local Xchange point you can then even
>apply server level filtering like you were mentioning before i.e. reverse
>dns, RBLS, header & Body checks etc.

That's not possible if you are doing NAT as the mail server won't get 
the actual source IP address then.

>You can even go a step further by setting up your spam/virus filtering
>box/appliance at your upstream provider because in most cases over 80% of
>email received is junk/spam and thus you save your precious international
>bandwidth

That would be better as you saves on (international) bandwidth 
charges then, assuming that the cost is lower.  You could apply 
different levels of filtering where you block the virus and high 
probability spam upstream and filter the rest within your network and 
apply your delivery policies.

The original discussion was about mail servers.  Your comments are 
closer to SMTP filtering policies where we have to look at the issues 
from a different perspective.  As you pointed out, there are 
different constraints that are relevant then such as abuse filtering, 
IP address blacklisting and traffic charges.  It's refreshing to see 
this type of operational content on this mailing list.

Regards,
-sm

More information about the afnog mailing list