Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Spam The Internet

They Blocked My SMTP, Now What? 132

Posted by Cliff from the is-the-solution-worse-than-the-disease dept.
mindsuck asks: "As of this Wednesday, my ISP blocked my port 25, leaving my mailserver useless to the outside world as a consequence of spammers and their nasty worms. So I decided to ask the nice people of Slashdot. What can I do now to restore my smtp service, besides changing ISPs, is there a obscure way to run a mailserver off a non-standard port? What about services similar to those provided by dyndns.org for this kind of situations? Pros and Cons of using this services? Should I move my MX to a more 'stable' server than my homegrown one?" This topic was last touched upon in this article, from 2002. It's been over a year since SMTP blocks have become commonplace. Have you noticed a slowdown in your SPAM? Are ISP SMTP blocks really helping the problem? Updated: It looks like Charter is also blocking SMTP. Might there be a way to work with your ISP to get them to unblock port 25 for you, if you can sufficiently satisfy them that you are not a spammer?

Krondor wrote in with a similar query: "Charter Communications (in my area) has blocked outbound SMTP connections. I need to be able to send Email to other SMTP servers, besides theirs, for a number of legitamate reasons. My question is this; How can I either still send SMTP to the places I need to, or how can I convince Charter to unblock outbound SMTP (I can understand blocking inbound SMTP without ACK bit set)? They do provide a relay, but won't my messages get labelled as SPAM if I use that? I am also concerned because, this relay is not encrypted with SSL and I don't necessarily trust Charter with that."
This discussion has been archived. No new comments can be posted.

They Blocked My SMTP, Now What? More

They Blocked My SMTP, Now What?

Comments Filter:

  • Use your ISP for SMTP or change ISP (Score:5, Informative)

    by Captain Kirk ( 148843 ) on Friday November 14, 2003 @03:49PM (#7476089) Homepage Journal
    If you want a practical service it MUST be port 25. If you can't offer port 25, either you need to use someone else's smtp server or to change ISP.

    • Re:Use your ISP for SMTP or change ISP (Score:5, Funny)

      by BrynM ( 217883 ) * on Friday November 14, 2003 @05:37PM (#7476978) Homepage Journal
      It's funny. I saw your nick was "Captain Kirk" and ended up reading your post envisioning William Shatner.

      (holds out hands as if pleading) "If you... want... a practical... service... itMUSTbeport25(!). If you... can't... offer... port25... either you... need... tousesomeoneelse's... smtp server... or... to... change... ISP!"

      Shatnerizing speech is fun! I'm going to have to do that more often. Thank... you(!)...

  • Incoming or outgoing? (Score:2, Insightful)

    by Anonymous Coward
    Okay, the person asking the question is clearly talking about incoming traffic, as he mentions MX records and the like. The editor, on the other hand, seems to be talking about outgoing traffic, which is a completely different kettle of fish.

  • I wish more of them would (Score:3, Insightful)

    by nocomment ( 239368 ) on Friday November 14, 2003 @03:49PM (#7476095) Homepage Journal
    I wish more ISP's would block email. I get so much spam through my company mail server that originates off of DSL/Cable internet services. Combine that with the recent worms that turns infected computers into spam relays. I think it should common practice to push all outbound mail through the ISP's mail server.

    And yes you can run it on non-standard ports. 26 is fairly common.

    • Re:I wish more of them would (Score:5, Insightful)

      by grunthos ( 574421 ) on Friday November 14, 2003 @04:06PM (#7476213) Homepage
      my ISP blocked my port 25
      Incoming, outgoing, or both? The workarounds can be different depending on which it is.
      And yes you can run it on non-standard ports. 26 is fairly common.
      Except that the great wide world can't send mail to you if you're listening there. The sender has to be specifically configured for that.

      One thing I'm doing as a backup to my main connection is (everybody get ready to cringe) UUCP over TCP port 540. It's an easy config in the Unix/Linux world with Taylor UUCP. Sendmail handles it fine. No, no bang paths-- just plain domain names.

      This would be a workaround for a problem on incoming mail. In my case, my primary MX record points to my mail server, and my secondary MX points to my UUCP relay site (bungi.com). If a sender can't connect to me, they go to the secondary where it queues. I run an hourly UUCP poll over TCP, which picks up anything waiting. If my main connection went down or were blocked, I could retrieve incoming mail with any generic PPP dial-up account.

      I know, sounds kludgy, but it works fine.

      This would work as a workaround for outgoing blockage also, but it would be much easier to use your ISP's outgoing mail server.

      • I don't know if you have control of the secondary mx, but wouldn't an ssh tunnel work better? 1st mx fails, 2nd mx goes to a different server, and the mails go through ssh tunnel to first server...? No noticable lag time. That option would work well for those who could use it.
    • I'm inclined to agree. I'm all for running servers and learning at home, and I do it myself -- however, I also pay a small premium for a mom-n-pop ISP who gives me a static IP and no PPP on my DSL. Basically, you get what you pay for. If you want to run your own, do it with a small ISP; if you can't afford the $50 or so a month, talk to work and see what they can do for you or band together with some friends who can chip in for that small ISP connection or for a colo'd server.

      Just my two cents though, if y

  • Move to SMTP over SSL (Score:5, Insightful)

    by reaper20 ( 23396 ) on Friday November 14, 2003 @03:51PM (#7476105) Homepage
    ... and then use a smarthost (another box that sends mail on your behalf) to send the mail for you. I haven't heard of anyone blocking SMTP-SSL.

    This sucks because you need a box outside your network to do this .... but if you got a few buddies with your own mailservers you can chip in on one on a host somewhere, or find a trustworthy friend that will let you relay.

    Not the perfect solution but you at least get _some_ semblance of control.
    • that ends up being the same as using an off-isp box to do the sending.

      one thing is to perhaps use a web mail system (like yahoo) and create 'fake' web clients to 'click' on fields and buttons for you and send the email off that way. I also use a nice prog called fetchmailyahoo which polls yahoo (from my home bsd box) and downloads mail coming to my yahoo web account. works well. and I use yahoo filtering to keep those pesky 'microsoft security update' spams on THEIR system and it never touches my home ds
    • If you're going to have someone offsite helping you, you could keep using SMTP, put it on a non standard port, and have your friend proxy your smtp packets. For *nix-ish systems it's easy. On Windows boxen, Portmapper [analogx.com] is what I used to play a MUD using 443 on the machines at work.

  • Change ISPs (Score:5, Insightful)

    by sweetooth ( 21075 ) on Friday November 14, 2003 @03:54PM (#7476135) Homepage
    and be sure to let them know exactly why you are leaving when you cancel your account.

    • Re:Change ISPs (Score:3, Informative)

      by GuyMannDude ( 574364 )

      Hopefully this ISP isn't the only cable provider in town. Sure, he can switch to DSL. But why should he have to change his method of receiving internet traffic?

      Also, I'm sure the people who drop this ISP because of the SMTP problem is insignificant to the users that don't give a crap. The days of "The Customer is Always Right" are long gone. I'm constantly amazed that people still seem to think that a single irate letter is gonna change anything. It takes a loud cry from many people to get these letha

      • Also, I'm sure the people who drop this ISP because of the SMTP problem is insignificant to the users that don't give a crap. The days of "The Customer is Always Right" are long gone. I'm constantly amazed that people still seem to think that a single irate letter is gonna change anything. It takes a loud cry from many people to get these lethargic corporation to see the error of their ways (or at least get off their buts and do something).

        Ah, but it takes many single irate letters to create the loud cry
      • The days of "The Customer is Always Right" are long gone. Only these days only existed for retail chains. It has never been the mentality of utilities/service providers.
    • Some of us don't have a cable or dsl choice. At 40,000 feet to the CO, cable is the only choice, and my cable ISP has a not-tightly-enforced 'no servers of any kind' policy. Seems stupidly written, because responding to a ping could be taken to be a server. I've never asked about gaming. It's the 'of any kind' that rankles me. Though as I said, they don't enforce it, and I've had no trouble with SSH and IMAPS. I've also got point-to-point firewall rules so the ports aren't generally visible.

      But to see thei
      • But to see their point for a moment, an open SMTP relay is a DISASTER, and how to they know you're competent to run an SMTP server?
        Simple: they would try to relay mail through it. If they can, they shut you off; if they can't, they leav you alone.

  • easy (Score:3, Interesting)

    by Apreche ( 239272 ) on Friday November 14, 2003 @03:55PM (#7476140) Homepage Journal
    First set your smtp server on a different port.

    Second find a machine with net access outside of your isp.

    Third make an ssh tunnel from that machine to your machine.

    That should work perfectly. But nothing is guaranteed.
    • No need for an ssh tunnel, just have another machine accept the mail and deliver it to yours on another port. Very simple to do in qmail, probably almost as easy in sendmail and other MTAs. This has the advantage of queueing your mail on the other server whenever yours is down, which won't happen with just a tunnel.

  • It does not help against spam (very much) (Score:3, Insightful)

    by Tor ( 2685 ) on Friday November 14, 2003 @03:55PM (#7476145) Homepage
    The ISP is trying to prevent your host from being an open SMTP relay, by shutting down inbound port 25.

    Although this helps a little bit in the fight against spam, the effect is not as large as your ISP thinks. Spammer/cracker gangs nowadays use viruses to infect zombie hosts (virii typically use ports 80 to infect IIS, or ports 135-139 to infect the CIFS filesharing). Once on your machine, these virii can easily send out spam on outbound port 25, no matter if your ISP blocks the inbound port or not.

    Explain this to them, maybe they'll reconsider...
    (Yeah,right).

  • My experiences (Score:2, Interesting)

    by bpalmer ( 568917 )
    I used to use noip.com for DNS stuff. They have a mail reflector service that'll accept mail on their mailserver at port 25 and forward to your mailserver on a non-standard port. It worked okay for me, but the problem arose that cable/dsl residential IPs are listed in many of the spam blacklists. So I ended up with some ISPs I could not send mail to. Ended up upgrading to a small office commercial connection. My servers don't violate the acceptable use policy anymore, I can host anything I want (within

  • Something like this [changeip.com].

    Works well as a backup in case your isp goes down too.

  • Possibly a real solution to SPAM coming soon! (Score:4, Informative)

    by Linux_ho ( 205887 ) on Friday November 14, 2003 @04:11PM (#7476261) Homepage
    RMX [danisch.de], a new DNS record type which lists authorized senders for a particular domain, would have a huge impact in blocking mail with a spoofed sender address. Of course, then spammers could still register their own domains to send from, but those could also be easily blocked, and it would be easier to find the spammers who registered the domain.

    I think this has a lot of potential, unlike the other bazillion idiotic non-solutions that have been proposed, like X-mulct headers [subsume.com], for example.

  • I am planning some thing on these lines... (Score:3, Insightful)

    by raj2569 ( 211951 ) <raj.linuxense@com> on Friday November 14, 2003 @04:14PM (#7476293) Homepage
    I work for a major cable ISP here and we are also having problems with spamming trojens. I have blocked all known proxy ports from outside, and things were bit quite for some time, but for past 2 - 3 months lots of spam is going out of our network. To solve it we do not want to block the customer's out going smtp completly, but now we are thinking of putting temp blocks on customers who's outgoing smtp traffic exceeds a certain limit.

    These spammer bastards are making our life hell :(

    raj

    • What we did... (Score:3, Informative)

      by schon ( 31600 )
      I work for a major cable ISP here and we are also having problems with spamming trojens. To solve it we do not want to block the customer's out going smtp completly

      I work for a small ISP. We worked around this problem a little differently..

      Instead of blocking outbound SMTP, we opted to transparently proxy outbound SMTP sessions to our mail server.

      The mail server does connection-rate throttling, and if the load on the server exceeds 'normal', the on-duty admin gets paged, so he can check the mail queue
      • > > I work for a major cable ISP here and we are also having problems with spamming trojens. To solve it we do not want to block the customer's out going smtp completly
        >
        >Instead of blocking outbound SMTP, we opted to transparently proxy outbound SMTP sessions to our mail server.

        If more residential broadband ISPs did the kinds of things you're doing 18 months ago, I wouldn't have had to block all inbound port 25 traffic from 200.0.0.0/7, 12.0.0.0/8, 24.0.0.0/8, and the various

      • Instead of blocking outbound SMTP, we opted to transparently proxy outbound SMTP sessions to our mail server.

        That is a HORRIBLE solution. I would not use an ISP that hijacked my traffic. It is much better to block outgoing traffic on TCP port 25 so that users know it is blocked and can find a different solution, such as relaying mail through your server.
        • I'd give him the benefit of the doubt and hope that "transparently" proxy means "we really didn't change a single thing, we just sent the traffic through here so we could do the throttling and queue it, and that was it"

          Perhaps that's a security problem, but then, STMP over SSL would solve it, so what's the problem? On the face of it, this does seem like a really good solution
          • Perhaps that's a security problem

            The problem is that the ISP is hijacking a customer's traffic. If you want to block certain packets, fine. Don't alter them.
        • That is a HORRIBLE solution.

          Care to explain why?

          I would not use an ISP that hijacked my traffic.

          We're not "hijacking" anything - the mail ends up going exactly where it's supposed to be going.

          What does it matter if the mail is relayed through SMTP server A or SMTP server B? As long as it reaches it's destination, there is no problem.

          It is much better to block outgoing traffic on TCP port 25 so that users know it is blocked

          If you read the responses here, you'll find that most people disagree with
          • We're not "hijacking" anything - the mail ends up going exactly where it's supposed to be going.

            You're hijacking my traffic. If initiate a TCP connection to a remote host, I expect it to connect to the remote host, not somewhere that my ISP chooses for me.

            As long as it reaches it's destination, there is no problem.

            What if the remote host is currently down? The mail then sits in your mail queue, even though I was told it was delivered to what I thought was the correct destination.

            What if your mail s
    • I wouldn'd mind some INTELLIGENT blocking.

      sniff the data. if you see M$ this and M$ that and stuff that looks and smells like your system was hijacked, block that farker for sure! and tell him why so he can reinstall winblows.

      but if its NORMAL user traffic, no way should he be blocked.
  • They block tcp ports for their benefit. Normally ISP would offer business plans which have not much difference from domestic plan except for fix ip(s), guarantee uptime and fewer restrictions on use.

    E.g. My ISP is so flexible that it has incremental business plans for opening each smtp, http, ftp, etc. ports for a fee. The most expensive of all is unrestricted tcp services, which are normally needed by medium-to-large companies.

    You might find the strategy being unfair to domestic users, but they've to d

  • Have you tried asking? (Score:3, Insightful)

    by Descartes ( 124922 ) on Friday November 14, 2003 @04:15PM (#7476304) Homepage
    My ISP is pretty friendly to people running their own servers. Maybe you should just send them a friendly letter explaining your problem. Then they can keep track of you so that they know you aren't sending spam. If they can't open the port just for you, maybe they could set up some port forwarding, or even the SSH tunneling that other people have suggested.

    • Maybe you should just send them a friendly letter explaining your problem.

      Be sure to check your terms of service first. You don't want to call them and tell them that you are running a server that is against their TOS and get your account canned. More and more ISPs are getting draconian about this sort of thing and won't even blink at canning your account for running a "rogue server". Don't get yourself into trouble. Lots of these companies aren't here to help you - they just want your money.

      Of course,

    • "Maybe you should just send them a friendly letter explaining your problem."

      Or perhaps call them up and sing "I want my.... I want my.... I want my SMTP"
  • Keep in mind that if you want to pay commodity prices for a service, you are going to get a service that has been sanitized and developed for the masses. What you're asking is essentially the same as "How can I get WinXP-home to work as a good server?".

    If you want to connect to outside SMTP servers, you'll either have to go with a smaller ISP that doesn't have paranoid, 'we're not going to be the front for spam' policies in place (and make a sacrfice, be it limited dialing area, higher prices, or whatever)
    • > Keep in mind that if you want to pay commodity prices for a service, you are going to get a service that has been sanitized and developed for the masses. What you're asking is essentially the same as "How can I get WinXP-home to work as a good server?".

      "Easy! Just plug it into a DSL or cablemodem without patching it or using a firewall! Guaranteed your XP Home Edition machine will be transformed into a high-volume SMTP engine in 15 minutes or less!"

  • Last I checked, Speakeasy allows transactions over port 25, as long as you're not running dialup or anything with dynamic IP. The rationale is that if you're running a DSL on their name, you're making a hefty investment; OTOH, just about anybody can get a throw-away dialup account, so blocking port 25 on a dialup is just something with the territory.

    Besides, if you have dynamic IP on your box, you probably shouldn't be running an SMTP server to begin with.

    • Besides, if you have dynamic IP on your box, you probably shouldn't be running an SMTP server to begin with.

      Why not? I have a dynamic IP, although since I rarely reconnect, my IP often stays the same for months. I have a script that simply updates my MX records whenever my IP changes, essentially making sure people can send me emails without interruption.

      And running my own SMTP server has helped me reduce the amount of spam I get. When I give out my email addy, I leave in a reference to the site. Eg me@e
  • I have a colocated server. When my ISP (Cox) did this, I couldn't connect to port 25, but I didn't want to set my laptop to go to Cox's server (which won't work when I'm not at Cox.) What I finally did was setup my mail server to run on port 1025 as well as port 25, and pointed my mail program to that. It would be fairly trivial to do a similar setup in sendmail.
  • For recieving mail, I understand the need to have a dedicated server, but I have always wondered why it is considered standard and okay to send outgoing mail through a seperate server. It doesnt make sense to me at all- why do e-mail programs not just connect directly to the servers they are trying to send mail to?
    (this is just ignorance, I'm actually wondering why)
    • why do e-mail programs not just connect directly to the servers they are trying to send mail to?

      Because the receiving mail server may not be up, or the link may be slow.

      If you're sending a large attachment, for example, it makes more sense to send it to your local mailserver (to which you have a fast, stable connection), and let it deal with timeouts or whatever..

      Would you want to keep your mail program open for hours or days when you didn't have to?

    • why do e-mail programs not just connect directly to the servers they are trying to send mail to?

      This goes back to when the internet was young and sparse. Since clients didn't always have reliable connections and servers went down a little more often, it seemed logical to hand your message to a server and let it try to connect to a possibly unavailable server repeatedly than for your to sit and wait for the receiving server to come back online after an outage hitting "send" over and over again. Especially

    • I've wondered about that too. The only reason I can come up with is that your smtp server will defer delivery when the receiving smtp is offline. Maybe sendmail crashed a lot in the good ol' days?
    • Most of the responders have hit on the major points, but I'll add a few.

      A properly implemented SMTP server for outbound mail is nontrivial. There are zillions of different cases you have to be ready to deal with: the destination host is unreachable, temporarily unavailable, etc. To do this properly your mail program would have to be always running so that it could manage the outbound queue. Not to mention that I would be willing to bet that the people that write email applications have neither the skill
    • because the server you're sending to may not be accepting connections at the time you want to send a mail. The sending MTA will take it, take care of it, and make repeated efforts to deliver it. If your mailer had to do that, it'd have to have full time internet connectivity for one thing.

  • It's unclear to me what exactly you're trying to do. I run Mydomain, and forward my accounts from there to a pop server. My computer then goes to the pop server and downloads the mail. A perl script then looks at the "for" in the first "Received" header, and forwards the message to sendmail. This is good enough for me, because I don't use the incoming IP address information. If you do, you might have to adjust your scripts accordingly.

    • Re: (Score:2, Insightful)

      by account_deleted ( 4530225 )
      Comment removed based on user account deletion

      • I'd find anything other than direct control over my SMTP server difficult as I use it as part of an anti-spam procedure that's one of the few that's absolutely fool proof (ie no false positives, no permanent false negatives) - my journal explains what I'm doing.

        I thought I would have the same problem, but I don't. All the information the SMTP server gets is right there in the header files. You just reinsert the email into your SMTP server, and it can't tell the difference.

  • Once a month or so, I get a message from the mail server "Delivery unsuccessful: Unknown recipient 'relaytest%security.rr.com'". If they find an open relay, then they'll do something about it; otherwise, I'm free to run my mail server.
  • I've got 6 small volume mailing lists in my domain. I first ran into the problem where some ISP were ignoring mail from my server on a cable modem, so I routed all out going email to my ISP's SMTP server.

    Then I ran into the problem where my email address, short and begins with 'a', was a popular choice for the last round of viruses. I eventualy had to block about 40 DSL and cable modems at my firewall.

    Then my trafic was over 99% dropped packes, effectively denying service.

    I finally gave up and hosted my e

  • You say that "I need to be able to send Email to other SMTP servers, besides theirs, for a number of legitamate reasons."[1] If it's not too personal, would you care to mention what those reasons are? I don't mean to troll, I just really fail to understand why anyone can't use their server as a SMTP relay. Why do you think that your mail will be marked as spam if you use it? As long as the relay is not open for everyone to use, then you're safe. Please tell me you're not so stupid as to think relay==open re

  • Blocked SMTP (Score:2, Informative)

    by trav3l3r ( 666370 )
    Here is how I run a mail server out of my home with port 25 blocked. For incoming mail: My domain will forward any number of e-mail addresses. I have different addresses forwarded to either my cox.net address, hotpop.com, or any of a number of other free POP3 services. On my server, I have an application (free) called poproute that runs every 10 minutes and queries all the pop3 accounts and then sends the mail directly to my internal SMTP server. All the mail goes to the proper internal mailboxes. Thi

  • Use a mail forwarder (Score:2, Informative)

    by Morgon ( 27979 )
    I had this happen to me, too, and I use Dynu [dynu.com] as my MX, and you can set it to auto-forward my mail from there, to a non-standard port on your host (which for me, the first stop is my firewall, so I have my 'non-standard port' port-forwarded to 25 on my mail machine).

    It's not free, unfortunately, ($20 a year I think), but the nice thing is that they'll store 100 MB of email if for some reason they can't deliver it to your host - and since my mail is all done off of my cable, and I live in a weird area (My p
  • Since your ISP blocked your mail gateway, ask them to smart-host you.
  • I need to be able to send Email to other SMTP servers, besides theirs, for a number of legitamate reasons

    Enumerate these reasons. I, personally, can't think of many reasons where a residential user needs 25 outbound, when using the network mailservers as a smarthost will work fine.

    • <Paranoia>
      Well, using the ISP as smarthost will mean that their mailspool will contain any email you send out. Not using the ISP as smarthost will make it harder (but not impossible) for the ISP to track your emails.
      </Paranoia>
      • <Paranoia>
        Using the ISP period means that they can snoop each and every packet you send out. Not a lot of difference between checking the mail logs and checking the etherial logs.
        </Paranoia>

        The simple fact of the matter is, this guy probably doesn't need to connect on port 25 outbound.
      • Well, using the ISP as smarthost will mean that their mailspool will contain any email you send out.

        If you're really that paranoid, I suggest you encrypt your mail at the source.

        If you don't think you can trust your ISP to keep your spooled mail private, then what makes you think they can be trusted to not packet-sniff your direct connections?

        And once you're encrypting your mail, it won't matter if your ISP has it spooled or not.

        • Who's to say it's not really happening [echelonwatch.org]?
          I'm indifferent to it, and was just offering a possible explanation for the OP not wanting to use the ISP's mail server as smarthost.
          • Who's to say it's not really happening?

            You miss my point.

            I'm not saying that ISP's can be trusted with your privacy. I personally believe that they can't be. And I'm certain that government routinely snoops on all kinds of communication, whether they're officially allowed to or not. But this has no impact on whether or not you should be relaying your outbound mail through an ISP server. It's just as easy to transparently proxy-and-store packets that are being sent "directly" to a remote host.

            Witho

    • I'm sorry but his reasons are besides the point. What has really happened here is that spammers and ISP stupidity have fucked up the Internet to the point where running a common TCP/IP service on one's computer (the smtp server, in this case) has to be justified to some guy on Slashdot. That's bullshit.
      • umm... receiving mail on port 25, is not what needs to be justified; sending mail to port 25 is what needs to be justified.

        The reason it needs to be justified is that there are legitimate reasons to disallow his connections (spammers), and he has a reasonable solution (user upstream smtp server as a smart host)

      • It has to be justified to some guy on Slashdot because it was asked to some guy at slashdot.

        And you're right; a few have ruined it for everybody. Nevertheless, this fellow has a common problem; he does't ask for the right answer. He's looking to find out how to implement a specific solution; he's not asking what solution he should be implementing.

        I liken it to 'what's the most efficient way I can shovel the snow out of my driveway with this large teaspoon?' while talking to the guy in charge of snow b

    • You're assuming that the ISP knows how to run their mail servers, and has adequate equipment provisioned for them. Bad assumption.

      Just wait until your ISP starts randomly dropping messages, or leaves them sitting in the queue for hours.

      • That's a quality of service problem, and is addressed separately.

        • It's a perfectly legitimate reason to avoid the ISP's broken mail servers.

          • No, it isn't.

            If the mail server is broken, get them fixed, or switch ISPs.

            If you're on a residental account with restrictions such as 'no servers,' but they say 'we'll not enforce those restrictions unless we have to,' then don't whine when they start enforcing them.

            There are services out there where it would never even occur to the company to consider even thinking about blocking off a port; pony up and go for it.

  • It sounds like the original poster's ISP is blocking inbound traffic to port 25 on his own server -- that's why he raised the question of SMTP on a different port (which, by the way, is mostly useless).

    The updated article, with the bit about Charter blocking direct outbound SMTP connections, should not be much of a problem for the casual home user - even those that wish to run their own inbound SMTP server. Simply set the SMTP server up to use the designated smarthost.

    Moreover, many MTAs now reject incom
  • Many ISPs don't want home user to run servers or services that are not traditionally considered a part of the home internet experience. Some of the restrictions in the AUPs can get pretty ugly. Here are a couple of examples:
    • Some don't let you run tunnels to telecommute and run office applications remotely.
    • Most don't let you run public servers like web, email, ftp, etc.

    There are a couple of justifications for this. Some are probably more realistic than others.

    • They want to sell you a more expensive business account
    • They want to prune out the high-volume users that burn a lot of bandwidth
    • They want to avoid the DCMA requests for takedowns and other legal (both real and imagined) stuff.
    • They are really trying to reduce spam
    • They assume they know more about what you need than you do

    My cable-modem ISP (Cox) blocks outbound 25. This is a minor only a minor issue to me because Cox's outbound mail servers are generally:

    • Reasonably reliable
    • Don't mind my sending mail using my domain names

    I receive mail with co-lo servers that are part of my business.

    The comment of not trusting outbound relaying because they might look at it is a bit misplaced. Looking at internet traffic is pretty easy for anyone with the desire and means to do so. If you send outbound SMTP on your cable modem, your ISP can look at the packets if they have the desire to do so (and I doubt that this breaks any laws). It does not really matter if they relay the traffic or not. They have physical access to the network, so they can sniff either way. On the other hand, they are pretty unlikely to do so unless they are asked by some governmental agency. Basically, sniffing such large amounts of data is uninteresting to them, so why would they bother. If you are worried about eavesdropping on email, encrypt.

    In your case, I suspect that the blocks have two reasons:

    Inbound blocks to 25 are just an enforcement to a no servers rule. I suspect that there are also blocks on 80 and perhpas a bunch of others. In all fairness, I would hate to run a mail server in-house on a cable modem. Mail is just too important to me, and I don't trust my in-house systems to be up 24x7. That is what co-lo is for.

    Outbound blocks to 25 are an attempt to slow down spam. Specifically, they prevent hacked home systems from becoming SMTP relays. In general, this is probably a good thing and most users with hacked boxes never know the damage they are doing.

    Your only real solutions that you have are:

    • Convince your ISP to open the ports up. They probably won't do this.
    • Use your ISP's mail server and pull messages from it with POP/IMAP or similar
    • Switch ISPs, perhaps to a business-type account with static IPs and no filtering
    • Use an outside mail server that does not have these restrictions.

    None of these are 100% free or pretty, but the bottom line is that you are using your cable-modem line in a manner that doesn't fit your provider's pre-conceived image of the type of user they have/want.

    On the other hand, the solutions above are not necessarily that expensive either. You can get email hosting with adequate access for <$10/mo, co-lo virtual servers for <$15/mo, and full dedicated co-lo servers for <$100/mo.

  • Exactly the opposite (Score:3, Informative)

    by lizrd ( 69275 ) <(adam) (at) (bump.us)> on Friday November 14, 2003 @05:43PM (#7477016) Homepage
    They do provide a relay, but won't my messages get labelled as SPAM if I use that?
    Exactly the opposite actually. Sending mail from a cablemodem IP range is very likely to get your e-mail rejected as SPAM. Sending it through your ISP's relay will clean up that problem for you.
    • Here is what happened to me on Comcast, which does not block port 25.

      I had configured Sendmail for the direct sending of e-mail (with receiving accomplished via POP3 with Fetchmail). All was good until the first time I tried to send an e-mail to someone at AOL. The e-mail bounced back to me, as the originating IP address was from Comcast's block of dynamically assigned IPs. So I reconfigured Sendmail to use Comcast's SMTP server as a smarthost and everything was cool. Then I tried to e-mail a company that
      • if you're gonna tunnel through ssh, you might as well use standard ports for pop/smtp... you could also use ssl instead, since that's way more likely to be supported by your email client
  • Consider looking at at www.dyndns.org's Mailhop package where they are the MX server of record (with port 25 open) for all your mail and then they redirect all your email traffic to your non-standard port, say 2525.

    Then use a NAT/IP-Masquerading/firewall setup on your box (iptables) to redirect port 2525 to port 25 for any incoming smtp traffic.

    This method has the benefit of having two available ports for smtp. Port 25 for everyone behind the NAT/IP-Masquerading/firewall box and Port 2525 for all those on
  • Pick up the latest 2600 (Fall 2003) from Barnes & Noble or online. There's an entire article on how to get around your ISP's port-blocking stupidity.

    --
  • I'm a sysadmin for a large ISP, and let me tell you, the benifits of blocking inbound & outbound SMTP for residential customers is a god send. We implemented outbound SMTP restrictions more than a year ago, and more recently also added inbound SMTP. Since a great number of the viruses/worms out that spam (either regular spam or to replicate itself) use their own SMTP engines, this stops them dead in their tracks, since they can't mail out (unless they go out another port). I really wish other ISPs wou
    • You know, rather than blocking all IP's owned by ComCast, you could filter your mails via the RBL at dynablock.easynet.dl. This lists dynamic IP ranges given out by the likes of Comcast for residential customers. Indeed, ComCast & other ISPs are the ones contributing these address ranges to the maintainers of that RBL.

      -tor
    • Except that your customers pay for _connectivity_, you fucking asshole.
      • Yeah, and your point? For 99.9% of RESIDENTIAL customers, this doesn't affect them in the least.

        Viruses/worms cause networks and servers to slow down to a crawl, affecting everybody. Without such blocks in place, everyone gets affected. With the blocks in place, only a handful of users are affected. So we are assuring connectivity FOR EVERYONE. And I'm not even mentioning the "no server" clause of the AUP. The only reason a port 25 block would affect you is if you are running a mail server, which is agai
  • # "Smart" relay host (may be null)
    DSsmtp.maxnet.co.nz

    I still run my own server, I can set up whatever filtering I want, other machines on my network never have to be reconfigured, but now all my mail is immediately forwarded through my ISP's mail server instead of being delivered directly.

    BTW; My ISP doesn't block port 25 but many other ISP's won't accept mail from dialup and ADSL connections. I got sick of the bounces.

  • but check out: MailHop [dyndns.org] from DynDns. They'll "proxy" your domain at port 25 and forward it to your real IP at a non-standard port.
  • Comment removed based on user account deletion

  • IPv6 (Score:2)

    by Isomer ( 48061 )
    For sending mail you can use IPv6, most ISP's have no idea what IPv6 is and ignore it (and pass it through). If you use IPv6 address mapped IPv4 addresses (ie: ::FFFF:1.2.3.4) to send mail, then it will be routed out via IPv6, then someone running a IPv6 to IPv4 relay host will convert it for you back to IPv4 to talk to the remote host.

    Alternatively, use IPv6 to a host you control outside your ISP that can use SMTP AUTH to let you realy. Or use IPsec to a host you control outside your ISP. Or better yet
  • There are really two seperate cases being discussed here, so let's be clear:

    * ISP is blocking outbound port 25 traffic, except to their mail server ("smarthost" as it's known.) In this case, you cannot send mail directly. THe solution is to relay through your ISP's smarthost. If you can configure one of the various forms of authentication then usually you can send as any email address, so you don't have to worry about your domain name not being the same as your ISP's. You can also use a third party's s
  • I posted a nearly identical question a while ago, when AOL (and others) started to reject SMTP connections from what they determined were dynamically assigned IP addresses. Take a look at the thread:

    http://ask.slashdot.org/article.pl?sid=03/04/19 / 23 27248&mode=nested&tid=126

    I was hoping to find a "virtual" mail ISP which would allow me to relay my outgoing mail (preferably in a encrypted tunnel, but I'm not holding my breath). Instead, I ended up configuring postfix to relay only mail destined
  • My sister's college network has port 25 outbound blocked, so she can't use our family's hosted email. She can receive just fine, but she can't send via the STMP server our host provides.

    Tried sending through the school's SMTP host with From & Reply-To set to her "hosted" address. Refused to relay.

    Our host set up an additional port, in the hopes that they just blocked the standard port. I can telnet from her machine to the host on that port, but MozMail can't make the connection.

    Then my VNC connection

Slashdot Top Deals

Real Programmers don't eat quiche. They eat Twinkies and Szechwan food.

Close