Slightly OT: Greylisting success or failure stories?
James Wilkinson
james at westexe.demon.co.uk
Fri Feb 4 23:33:08 UTC 2005
Paul Howarth wrote:
> However, it does not work from ISPs that block outbound port 25
> connections, which is why port 587 is recommended for this purpose.
>
> Anyone seeing port 587 blocked is probably behind a corporate firewall
> that is blocking everything bar port 80 maybe, and should respect that
> company's policy of not allowing outbound mail from their network.
For what it's worth, I'd recommend asking.
I would argue that a competently-configured corporate firewall would
block everything in every direction unless there is a business need for
it (for example, SMTP to or from mail servers, HTML from the proxy and
to the web server, DNS from servers. On a suitably flat network, most
PCs don't need a default gateway).
But that doesn't mean that holes won't be opened once a suitable need
has been demonstrated. If a visitor wants to access a particular "home"
server for e-mail purposes, I personally would be more than happy to
open "my" firewall *from* that PC *to* the ports needed on the requested
server. But until I know that it's needed and which port, PC, and server
to allow, I'm going to keep that connection blocked along with
everything else.
One of the best ways of keeping a paranoid ruleset on a firewall is
"keep everything closed until someone moans"!
James.
--
James Wilkinson | We still have enough spare cardboard sitting around
Exeter Devon UK | to send a bus by Parcelforce, although not enough
E-mail address: james | wrapping to be sure they wouldn't deliver it broken
@westexe.demon.co.uk | into two pieces. -- Alan Cox
More information about the fedora-list
mailing list