On Mon, 01 Nov 2004 18:48:35 +0000, Paul Howarth <paul@xxxxxxxxxxxx> wrote: > On Mon, 2004-11-01 at 18:38, Leonard Isham wrote: > > > > On Mon, 01 Nov 2004 16:16:40 +0000, Paul Howarth <paul@xxxxxxxxxxxx> wrote: > > > Neil Marjoram wrote: > > > > Can someone help me, this is driving me nuts! > > > > > > > > I currently run sendmail on port 25, I have had a requirement to install > > > > smtp_auth, which all works fine. However I now find out that one of my > > > > users ISP's blocks port 25 so he can't access the mail anyway. > > > > > > > > The answer? NAT port 10025 or what ever to port 25. > > > > > > Whilst this doesn't answer your question, is there any particular reason you > > > didn't just open port 587 in your firewall and use the MSA, which sendmail > > > runs by default for this very purpose? > > > > > > Paul. > > > > As for why not run MSA? > > > > "MSA port should be limited to internal hosts (e.g., firewalled from > > external world)" > > - http://www.sendmail.org/~gshapiro/8.10.Training/MSA.html > > > > I presum the issue is an issue with sending mail. Why not configure > > the e-mail client to send e-mail via the local ISP? > > Because that way a roaming user would have to reconfigure their mail > software every time there were in a different place, with a different > ISP. RFC 2476 on Message Submission cites "Implement authenticated > submission, including off-site submission by authorized users such as > travelers" as one of its motivations. Since the MSA is not significantly > different in functionality to the MTA, I really don't see any reason why > it should be firewalled off. > > Paul. > -- > > > Paul Howarth <paul@xxxxxxxxxxxx> > I suspect that these are the reasons sendmail.org recommends firewalling MSA: Meant to be less strict on standards compliance * Addresses don't have to be fully qualified * Hostnames don't have to be fully qualified * Don't require "required" headers, e.g. Message-ID: and Date: -- Leonard Isham, CISSP Ostendo non ostento.
