[Maybe OT] - RFC compliance checking at session

Matt Kettler mkettler at evi-inc.com
Fri Feb 29 16:48:15 GMT 2008

Hostmaster wrote:
> Hi All,
> I would like to illicit some opinions from you other MailScanner using 
> MX-administrators.

Pretty much all your opinions here are valid, except:

 > and the IP does not accept return SMTP – indicating that
> it’s probably a web server and not an MTA itself. 

I find that conclusion irrational. Why wouldn't it be an MTA?

Anyone large enough to have separate MX (inbound) and smarthost (outbound) 
servers should *NOT* be accepting inbound SMTP connections to their smarthost 
servers from the outside world. Only their internal network should be able to 
SMTP to the smarthost.

There's no reason to allow it, so best practice would suggest you should close 
that off at the firewall. Any legitimate mail delivery attempts will go to the 
MX servers. Therefore any attempts to connect to port 25 on the SmartHost from 
the outside are either hackers, scans, or random pokes and prods at parts of 
your network nobody on the outside belongs in.

I think it's a pretty far jump to assume that any system that generates SMTP but 
doesn't accept inbound from you can't be an MTA. It's quite possible it is an 
MTA, but you're not authorized to try to queue mail there and are firewalled out.

More information about the MailScanner mailing list