[clug-talk] Did shaw shut down external ports?
kanderson at digital-adrenaline.com
Tue Jun 19 17:31:59 PDT 2007
Reliability is a different issue than being asked to use a server. One
that should be complained about if it isn't stellar. Having said that,
this does not affect Business Class services, so if you're running your
own Mail, NNTP, HTTP, DNS, etc, perhaps you aren't really choosing
what's best for yourself anyway.
If you care about TLS, and encryption, you likely aren't affected,
because you won't be using port 25 anyway. You'll be using secure SMTP,
or connecting via VPN, or whatever else.
Port 587 does not accept (or shouldn't accept) unauthenticated email.
So that will never be an issue unless the spammers also have your UID
and PWD. That would mean you have bigger issues.
All you want is a connection? Wow, same with me. I want a 110
connection for my PC, but I want a 220 for my Oven. Connection is
pretty vague. What I think you mean is you want unrestricted bandwidth,
and the service level of a corporate account, and you want it at the
cost of residential service.
30 years ago, people thought out what they needed. Unix is a perfect
example. Now, people want flash in the pan, and they get Aero, which
looks cool, but is more or less useless. Yes, KDE/Gnome are good
compromises, but the truth is, a headless Unix box is still very hard to
Blocking port 25 outbound does LOTS to prevent the problem. It stops
newbies/seniors/kids/etc from sending "mail" from their "user friendly"
windows 98 boxes. It encourages people to think about security of email
in a broader sense, which this conversation is doing... It helps
eliminate spam, and ultimately allows me more bandwidth for P2P traffic.
Filtering 445 is a different issue, and much like email, this is a
problem that has already been forseen. You can very easily change the
port that you administrate your Ipcop box from. Better yet, you can
close it to outside connections entirely, and establish a VPN for
This becomes a complicated issue when shaw says "Stephane Dion has
mandated that all email passing through these servers will be monitored
and tracked." For those of you interested in that line of thinking, go
From: Gustin Johnson [mailto:gustin at echostar.ca]
Sent: Tuesday, June 19, 2007 2:26 PM
To: CLUG General
Subject: Re: [clug-talk] Did shaw shut down external ports?
-----BEGIN PGP SIGNED MESSAGE-----
Kevin Anderson wrote:
> It's just not an issue. Use Shaw's server as a smarthost, and all's
> fine. You aren't filtered, you aren't limited. This is irrelevant.
It is relevant since their mail service is less than stellar in my
experience. I do not use their services since I either provide them
myself or have acquired them from a 3rd party (DNS, mail, NNTP, web
hosting are examples of services I get elsewhere).
> means there's one extra hop in the path your email takes getting to
> it's destination. That's out of your control after it leaves your
Actually it also breaks TLS encryption which allows for secure
authentication and transmission. This is important, though it does not
garner the attention it deserves. Since PGP/gpg is not supported by a
wide enough range of email clients TLS at least provides some measure of
Even though I have provided a work around (the ports 587 and 465) for my
clients, how long until the spammers begin to use these ports as well?
At best this policy of Shaw's provides short term respite while doing
nothing to combat the actual problem. I would rather they spend our
money more effectively.
> anyway, so what's the difference. In the old days, prior to High
> Speed Internet and always on connections, this was the norm. This is
> EXACTLY how email was designed to be used. That's why sendmail uses a
Email was designed 30+ years ago. This is EXACTLY why we have the
problems we do today. The system was simply not designed for the
environment that it is in. Simply blocking an outbound port does little
to rectify the actual problem. If anything it gives a false sense of
security which leaves us worse off than before.
> Any issue you have with a blog breaking because of this is, as far as
> I'm concerned, a misconfiguration of the blog.
I am less likely to make such a blanket statement about software I have
never seen. I can think of legitimate reasons for blog software to
behave this way. Especially if it supports TLS/SSL and Auth, which btw,
Shaw does not.
> This is like saying you're mad that you need to assign a default
> gateway to your server. It accomplishes the same thing, and provides
> the same restrictions. It should be there. It'll work without one
> under the right circumstances (proxy servers, etc), but you should use
> one. Mail is the same thing. Did you need it? No. As a residential
> user, should you be using it? Yes.
All I need/want is a connection. I do not require from Shaw *any*
services other than IP routing. Preventing us from acquiring services
(DNS, Mail, web space etc.) from 3rd parties is not a good thing, even
if we are "residential" customers.
This current problem is not all that severe as it is trivial to work
around. I worry more about the future, what comes next? This is not
the kind pf precedent that we want set. Will they filter port 445 as
my portable Rogers connection does, for our protection (this is normally
used by Windows/CIFS file sharing, but is also the default management
port for IPCOP)? Where will they draw the line?
This is a complicated issue, and I am glad that we are discussing it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
clug-talk mailing list
clug-talk at clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying
More information about the clug-talk