On Thu, Jan 18, 2007 at 07:34:52PM +0100, Rainer Duffner wrote:
> >You won't be able to get mail redirected from port 25 to 587 without
> >either changing the clients or changing your firewall rules. You've
> >ruled out the former, so you'll need to setup your firewall to
> >redirect incoming port 25 TCP connections from your dial-in clients'
> >IP addresses to port 587.
> >
>
> IMHO, that's pointless.
> If you redirect connections from port 25 to port 587, you don't gain
> anything (or at least not a lot).
> Spammers will quickly learn the new IP. Even if you don't give it a
> DNS-name.
> When changing IPs for MXs, I've had the first spam reach the server
> seconds after the change went online.
> It's an absolute frigging nightmare.
I think the point is to allow _only_ the clients to connect on 587. So
you have two separate queues, one for client submission on 587, and one
for public mail on port 25. Your firewall rules block access to 587
except from your client IPs. They also translate port 25 access to
port 587 access (so either way, clients get the submission queue).
Everyone else uses port 25. So unless your clients are the spammers, the
queue on 587 should remain clear.
-Peff
|