[Mimedefang] Re: Blocking DSK & Cable modem users.

[Jeremy Mates]

* listuser at numbnuts.net <listuser at numbnuts.net>
> That's the only bad thing about it.  Then again 0.0% of my users use
> it so I'm not really out much.  Those customers that absolutely have
> to send via their companies MTA will most likely have a company that
> has a webmail solution or utilizes a VPN solution.

In our case, webmail has been deemed too insecure (allows passwords
input on random devices) and far less featured than dedicated mail
programs.  VPN would be complicated to setup in our heterogenous
(educational) environment, especially when remote SSH and STARTTLS of
email are really the only protocols being used by roaming folks.

> I'm not a AUTH or TLS person myself.  Do those run on the standard
> tcp/25 port or do they have their own?  I'd do this with tcp/25
> because that's all that really matters to achieve this goals of this
> potential project.

STARTTLS and SMTP AUTH take place over a SMTP conversation, either at
port 25 or at the submission port 587 if you configure your submit.mc
specially.  One can also do a raw TLS connections to the smtps port 465,
which behaves much like an https tunnel, though mail client support for
alternate SMTP ports or using smtps is varied.

I have seen both ISPs and certain anti-virus software mess up STARTTLS
connections, requiring alternate port kluges or other hacks.  For more
information on SMTP AUTH and STARTTLS, see:

http://sial.org/talks/smtpauth-starttls/

http://sial.org/sendmail/tls-relay/

Another option would be to log the rate of outgoing SMTP connections and
the bandwidth being consumed, and flag high usage for spam investigation
or rate limitation.  Though that might create a whack-a-mole game...