Markus Stumpf <maex-lists-spam-ietf-asrg(_at_)Space(_dot_)Net> wrote:
But with the presumption of innocence each one should be allowed to send
a mail to another person on the internet without some authority blocking
it by default "just because".
My whole point is that you may have *reasons* for blocking port 25:
The user didn't accept responsibility for traffic being sent to that
port, coming from his network.
Similarly, you probably block BGP connections from people you don't
have peering agreements with. I don't see how blocking any other
protocol is different.
Reading and controlling each and every email before letting
it pass the border of your IT infrastructure is impossible for anyone/
any business with more than 100 emails a day and 5 people. Even more if
you have to take care about data protection.
Again, I have NEVER said that doing this would be a good idea. I
don't see why you're bringing it up. It simply isn't relevant.
We have an AUP that forbids to send "bad" mails (whatever that means, in
our case it's including UCE and spam) and we can take actions if a customer
fails to adhere. But unless he fails, he has free and unfiltered access to
the Internet and IMHO this is a good thing.
The point I was trying to make is simple: I don't understand why
you're treating SMTP different on one hand (you have an AUP), but then
claiming you're not treating it differently on the other (you claim to
give free and un-filtered access to the net.)
You've already decided that you have NOT given your customers
absolutely free and totally unfiltered access to the net, so stop
trying to pretend otherwise. You're already filtering network traffic
you find abusive, or which attacks your local infrastructure.
It makes sense to me, then, if we both agree to each filter network
traffic which abuses the other person. It just saves time, money, and
work for everyone.
e.g. Most customers
could probably forge ICMP "destination unreachable" messages, for your
routers, web servers, etc., and drop them off of the net.
No, they can't.
Our routers do know which side the addresses may come from.
So you're doing even more filtering than you said originally. Why
not extend that filtering to network abuse *other* than forged
packets?
My point is that "free and unfiltered access to the net" does not
exist for the vast majority of people. ISP's are already limiting the
things they let customers do. Things like MTAMark or port 25
filtering, are less than optimal, but they won't result in the
destruction of the Internet, or even the "end to end" principle. SMTP
has never been "end to end".
RFC 2487, Section 7, Security Considerations, says:
...
It should be noted that SMTP is not an end-to-end mechanism
...
See? You can filter port 25 without the Internet exploding. The
RFC's say so.
Alan DeKok.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg