Home page logo
/

nanog logo nanog mailing list archives

Re: Fun new policy at AOL
From: Ray Wong <rayw () rayw net>
Date: Thu, 28 Aug 2003 09:41:59 -0700


On Thu, Aug 28, 2003 at 10:18:45AM -0400, Matthew Crocker wrote:

Shouldn't customers that purchase IP services from an ISP use the ISPs 
mail server as a smart host for outbound mail?  We block outbound port 

For some, sure.  Maybe even most.  That doesn't mean all.  Are you a
fairly small, perhaps boutique, provider?  Such players have very
different rules than ones with more than one kind of customer.

25 connections on our dialup and DSL pool.  We ask our customers that 
have their own mail servers to configure them to forward through our 
mail servers.  We get SPAM/abuse notifications that way and can kick 

Asking is one thing, forcing is another.  Giving the option but leaving
the choice entirely up to the customer's discretion is yet another.
Giving a default, but allowing customers to request exceptions, with
reasonably automated tests to verify they can handle it... well, you get
the idea.

You get SPAM/abuse notifications without diverting all mail through you.
You need to investigate either way (unless you trust unknown third parties
more than your own customers), which still doesn't require all mail to
pass through your server.


the customer off the network.  We also block inbound port 25 
connections unless they are coming from our mail server and require the 
customer setup their MX record to forward through our mail server.  We 
virus scan all mail coming and going that way.  We protect our 
customers from the network and our network from our customers.  We are 
currently blocking over 3k Sobigs/hour on our mail servers.  I would 
rather have that then all my bandwidth eaten up by Sobig on all of my 
dialup/DSL connections.

Do you also limit your customers' use of web traffic?  Bandwidth, at
the end of the day, is still bandwidth.  Having it all eaten up is a
problem, but not enough justification to take away all choice.  Your
own border shouldn't be that much greater than the aggregate total
of your customers, should it?  That'd be bandwidth you pay a lot for
and can't use.  Usual model would suggest your downstream customers
represent some value more bandwidth from you than your incoming server
could get, or perhaps 1:1.

What if I have my own virus scanner?  What if your mail server is too
slow because all those scans chew up a lot more resources than my own
traffic on my server will?   What size attachments do you allow?  What
spam filters do you run; do they account for sender IP in the same
probability weighting that mine does?  Even per-user configuration of
filters like Postini represents a reduction in choice that may not
fly with all customers, particularly small and home busineses.  Finding
solutions that account for the broadest number of cases is useful.

If you provide a server architecture doc the way I can expect to see
line topo docs, then maybe I'll trust you to get it right, or maybe not.
Expecting to tell customers, "I know how to run an email server better
than you," doesn't fly in this age of bonehead ISPs, at least not for
a lot of us/them.  Perhaps you do the former; if so, please let me know if
you provide service in the San Francisc/Sillycon Valley area, as our
choices in home/small pipe have declined quite a bit these years. =)

SMTP & DNS should be run through the servers provided by the ISP for 
the exact purpose.  There is no valid reason for a dialup customer to 
go direct to root-servers.net and there is no reason why a dialup user 
should be sending mail directly to AOL, or any mail server for that 
matter (besides their host ISP)

Let's back up.  It's entirely possible, even probable, that any ISP I
go to will provide good Internet (pipe) and bad Service (protocols),
or vice-versa.   If they're good pipe, I can setup my own server, and
have everything I need.  Providing reliable and high-rate connectivity
does not mean I trust you, or anyone else, to run an extra man in the
middle.  You, of course, are not required to trust your customers, and
your policy will self-select out the ones who disagree, but suggesting
it's applicable in enough cases to be a general standard misses the
point.


I can think of a number of businesses (including some who are fairly well
known in email software, services, etc) who came up with the use of DSL
as a server home.  They may not rely on it for their primary bandwidth
(which would probably be foolish), but particularly for things like DNS
and SMTP, both of which provide for multiple addresses and locations,
could sanely choose to maintain secondary servers over a completely
isolated alternate pipe.  Remember, BGP fails, ISPs fail, T1 cards fail,
routers fail, etc.  Having that last "home" DSL connection may just save
some companies from going totally unreachable at times.  That's worth
$79.99/month in many books.





-- 

Ray Wong
rayw () rayw net


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]