Picking apart SMTP article

Uncategorized
1 Comment

Don’t you just love it when you post something that’s meant to help people but it just backfires with even more questions? Such is this morning, woke up to a dozen emails about last nights post.. by the way, thanks to emailing them directly to me instead of following the proper support route (support.ownwebnow.com) or posting a blog comment where someone other than the CEO of the company could help you. Real considerate.

But, as a public service, here are a few background pieces that I hope help the spectators:

Why not just always use ISP’s SMTP server?

Because it gets hard to manage and its even worse in multihomed offices. Nowadays very few roles in business are tied to the desk, people are mobile and they rely on more mobility. They are two different things, allow me to explain. People tend to be more mobile, meaning they will do the work from home, from office, from the production plant, from the client site in Hong Kong, from an Verizon Wireless link and so on. They also rely on mobility, in terms of devices and gadgets that receive email. Yesterday we had a support ticket from someone that wanted to receive email alerts in their car because they spend most of their day driving from site to site dropping off equipment and they needed the settings to bypass port 25.

As people become more mobile, and rely more on mobility products, single desk, single ISP and single IP address rules go out the window.

Why not just use RPC-over-HTTP?

While RPC over HTTP is a technically valid solution to the SMTP problem, it is a feature of Microsoft Exchange and Microsoft Office, something that most companies cannot afford and even if they can, they do not have the means to justify the expense. Yeah, I know, I know – the productivity, the scheduling, the TCO bull can pour through the chimney on this argument, we are talking about companies that spend less than $120 a year in TOTAL on their email infrastructure and communications and that includes filtering and A/V. Could they benefit from Outlook? 50/50 – some of these roles are simply correspondence roles where minimum wage workers just crunch through the sales and fulfillment.

Remember, premium solutions are there for premium problems. The ability to just send and receive email reliably and securely is not worth a few hundred dollars a year for a vast majority of companies out there.

Why bother with SSL/TLS?

Every time you receive email from a POP3 server you are passing your username and password in clear text. Yep. You read that right. Most people stick with just plain login/pass because its easy and requires very little effort.

Same goes for webmail. We provide secure sockets on all our services but most people don’t use them. When we tried to redirect to SSL sites automatically we faced a huge backlash from partners and customers who did not want to see our hostname in the address bar. I suppose having people read your email is more appealing than seeing mail1.ownwebnow.com instead of mail.ihaveaverysmallpenisandliveforvanity.cc

ISP filtering traffic, I am outraged, where is the news coverage?

ISP’s own the network, you just buy the right to use it. A right that they can at any time restrict. In a very big way, I support the ISPs right to filter their network traffic. Most of the SPAM nightmares come from zombies on cable/DSL connections that do nothing but spew SPAM. If they were policed effectively by the ISP there would be no need for port 25 restrictions, however, I’d rather see the providers kill SMTP access and force people to migrate to secure SSL access on alternate ports.

How can I find out if my ISP is filtering my SMTP traffic?

Just telnet to mail1.ownwebnow.com on port 25. If you get the connection with our banner, you’re open. If you see anything else, or if  you get an error or a timeout or a refused connection, your ISP is filtering SMTP.

Is SMTP AUTH mechanism important?

Not really. You can either authenticate explicitly using SMTP Auth or you can just use the POP3-before-SMTP mechanism that is native to the way the mail agents operate. Basically, when you hit Send & Receive, your client first connects to us and authenticates with the POP3 server to download email. Once authenticated, the IP address is programmed into the relay for a preset amount of time, meaning you can relay mail without explicitly authenticating to the server. Pretty easy.

Now, lets say you had a copier on the network that was also sending scans to your desktop or remote office. In this scenario SMTP authentication is required and must be set explicitly because there is no POP3-before-SMTP mechanism in place for the copier, it just sends mail and expects it to go through.

What about IMAP and IMAP-SSL?

They are both supported and as a matter of fact, our new webmail (https://mail1.ownwebnow.com/webmail2) relies on the IMAP protocol to manage folders and such. However, in the field only a tiny percentage of users relies on IMAP and I did not feel that was a big enough of a cause to document completely. Same goes for IMAP as for POP3, always use securely, always use SSL, blah blah.

What is the deal with 2525 and 25252?

They are just random ports we chose to bind our SMTP server to in case your ISP is not prohibiting SMTP traffic specifically, but just using the port filter on port 25. In this case, just changing the port number from 25 to 2525 without making any other changes will do it. While you should definitely implement everything I mentioned in the guide, if “it worked yesterday, it’s broken today, and we didn’t make any changes” (if I had a penny every time I heard that lie) then just a change from 25 to 2525 or 25252 will likely do it.

Why are you using TLS for SMTP in Outlook and SSL in Windows Live?

Let me take my MCSE hat off. When I tried it with SSL in Outlook, the connection failed. It was late at night and I really didn’t want to find out why it didn’t work. 🙂

One Response to Picking apart SMTP article

  1. Pingback: Singles » Picking apart SMTP article

Comments are closed.