Click the comments link on any story to see comments or add your own.
Subscribe to this blog
13 Nov 2014
A press release from the EFF complains that some Internet service providers are preventing their users from sending mail over a private encrypted channel, which is bad. While a few ISPs do that, the story is more complex.
There are two subtly different ways that a computer can send mail. It can send it directly to the recipient using what's known as port 25, or it can send it to a more capable mail server, using what's known as submission or port 587. Senders doing submission invariably have to authenticate before they can send the mail, and the more capably server has the opportunity to check the mail for spam and malware before sending it along.
A long time ago, direct mail and submission both used port 25. The distinction between the two dates from 1998, so these days only really really old software requires submission over port 25. (More modern software can usually be misconfigured to submit over port 25, but that can be fixed with a one-time five minute configuration change.) So at this point, the vast majority of mail sent from user computers over port 25 is spam from botnets, with a tiny trickle of real mail from ancient or misconfigured user mail programs.
ISPs hate dealing with user complaints, and even though the change from port 25 to port 587 is easy, if they force users to do so, it often involves support calls to expensive human staff. In North America, nearly all ISPs just bit the bullet, blocked all outgoing port 25 mail, and dealt with the support calls, in the expectation that the subsequent drop in outgoing abuse would more than pay for the one time pain. (MAAWG published an influential recommendation in 2005.)
Nonetheless, some ISPs still try to fudge things, allow outgoing mail on port 25 but somehow still manage the spam. The usual approach is a "transparent" filter on port 25 traffic, that looks at the outgoing mail and filters it on the fly. This appears to be what's going on at the ISPs the EFF describes. The filter has to block the STARTTLS command that would start an encrypted session since it needs to be able to see the mail to filter it.
I happen to agree that the quotes around "transparent" belong there, because the filtering is anything but, and the STARTTLS problem is merely one of many reasons it's a bad idea. But the solution isn't to turn off the filtering, it's to block port 25 like everyone else does, and force people to move to port 587 submission.
Mail sent on port 587 doesn't need filtering, because the mail is only going to the more capable server which will take responsibility for it and deal with malicious stuff before it's passed along, not to random recipients who will complain. STARTTLS works great on port 587, and keeps the contents of the session between the local computer and the other server confidential, including both the mail and the authorization password.
This setup has been working well at large and small ISPs all over the world, it's not new or controversial, and it's high time the stragglers catch up.
My other sites
© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.