Comcast blocking port 25? (not what you think)
bbell at hp.com
Mon May 10 11:45:01 EDT 2004
On Mon, May 10, 2004 at 06:47:42AM -0400, Travis Roy <travis at scootz.net> wrote:
>This isn't about Comcast blocking port 25 to prevent you from running a
>Recently my parents (that use Comcast) can no longer connect to port 25
>of my server.. one that is legit, has correct reverse and MX records.
>Has anybody else seen this?
>Can anybody suggest a workaround.
I ran into this when plugging my notebook computer into my parents'
home network in Florida. They have cable modem service from Cox,
I believe. Anyway, Cox was blocking outbound connections to port 25 on
anything other than Cox's SMTP servers. Well, this being a notebook,
I didn't want to have to require my wife (it's actually her notebook) to
change the SMTP server whenever she traveled. The mail server we were
trying to access is a dedicated server that I run, and it uses SMTP
authentication in order to allow access from any IP address. Therefore,
I was not concerned about security, but rather about generically working
around outbound port 25 restrictions.
My initial reaction was to use a one-line iptables command to
redirect port 2525 to port 25 on my mail server, and then to point my
wife's notebook to port 2525. This worked fine. The command I used
/sbin/iptables --table nat --append PREROUTING --jump REDIRECT --proto tcp --dport 2525 --to-ports 25
However, recently I was reading about SPF and discovered MSA. Although
MSA may optionally do more sophisticated things, in a limited format you
can run a "normal" SMTP server implementing authentication on the MSA
port (TCP port 587), and non-MSA aware programs like Outlook can use it
as long as they implement SMTP authentication and can be redirected to
a different port. ISPs typically don't block port 587 because (1) MSA
is new and they probably may not be aware of it, and (2) MSA requires
authentication, which probably eliminates the reasons they may have for
blocking outbound port 25. To turn on MSA in sendmail, I simply
commented out the "no_default_msa" in my sendmail.mc file. (Actually,
for reasons unnecessary to get into here, I added the equivalent line "O
DaemonPortOptions=Port=587, Name=MSA, M=E" to sendmail.cf directly).
More information about the gnhlug-discuss