Comcast blocking port 25? (not what you think)

Bob Bell bbell at
Mon May 10 11:45:01 EDT 2004

On Mon, May 10, 2004 at 06:47:42AM -0400, Travis Roy <travis at> wrote:
>This isn't about Comcast blocking port 25 to prevent you from running a 
>Recently my parents (that use Comcast) can no longer connect to port 25 
>of my server.. one that is legit, has correct reverse and MX records.
>Has anybody else seen this?
>Can anybody suggest a workaround.

I ran into this when plugging my notebook computer into my parents' 
home network in Florida. They have cable modem service from Cox, 
I believe.  Anyway, Cox was blocking outbound connections to port 25 on 
anything other than Cox's SMTP servers.  Well, this being a notebook, 
I didn't want to have to require my wife (it's actually her notebook) to 
change the SMTP server whenever she traveled.  The mail server we were 
trying to access is a dedicated server that I run, and it uses SMTP 
authentication in order to allow access from any IP address.  Therefore, 
I was not concerned about security, but rather about generically working 
around outbound port 25 restrictions.

My initial reaction was to use a one-line iptables command to 
redirect port 2525 to port 25 on my mail server, and then to point my 
wife's notebook to port 2525.  This worked fine.  The command I used 
/sbin/iptables --table nat --append PREROUTING --jump REDIRECT --proto tcp --dport 2525 --to-ports 25

However, recently I was reading about SPF and discovered MSA.  Although 
MSA may optionally do more sophisticated things, in a limited format you 
can run a "normal" SMTP server implementing authentication on the MSA 
port (TCP port 587), and non-MSA aware programs like Outlook can use it 
as long as they implement SMTP authentication and can be redirected to 
a different port.  ISPs typically don't block port 587 because (1) MSA 
is new and they probably may not be aware of it, and (2) MSA requires 
authentication, which probably eliminates the reasons they may have for 
blocking outbound port 25.  To turn on MSA in sendmail, I simply 
commented out the "no_default_msa" in my file.  (Actually, 
for reasons unnecessary to get into here, I added the equivalent line "O 
DaemonPortOptions=Port=587, Name=MSA, M=E" to directly).

Bob Bell

More information about the gnhlug-discuss mailing list