Topic: Using port 2525 for SMTP traffic

[pwalter]

I decided to request that my ISP upgrade my dynamic ip address to a static ip address, forking over more money. They complied; and then "enhanced" my service for me by blocking incoming email traffic (port 25). I am trying to figure out how to reconfigure SME 6.0.1 to receive mail on port 2525 instead, but searching the forum has only turned up vague references. Can anyone point me to a thread or a HOWTO?

Thanks,

Peter

[meanpenguin]

Sorry to tell you the bad news but it can't be done (without help from the outside).
All the email servers in the world deliver to port 25.

Only way is to use an external email server which will forward you the email on port 2525.

There are some services out there that will do this.

Ed

[pwalter]

Ed,

Yes, I understand that some of the work would have to be done from my registrar - they are backup spooling my email anyway. it is the weekend here, and their tech support is closed, so I will not be able to get them to make changes for a couple of days. However, I have gone ahead and made the following changes to my server:
a) downloaded and installed Muzo's sme-6.0-masq-manager-0.1-2.noarch.rpm as detailed in
http://no.longer.valid/mylinks/singlelink.php?cid=123&lid=372

b) opened TCP port 2525 in the installed server manager panel "Firewall Management"
c) copied template fragment /etc/e-smith/templates/etc/services/10standard to the templates-custom tree
d) edited the fragment to change the SMTP port to 2525
e) ran /sbin/e-smith/expand-template /etc/services
f) ran /sbin/e-smith/signal-event email-update
g) ran service smtpfront-qmail restart

I *think* qmail is now listening on port 2525 - at least, I can now *send* mail via that port. But, since I have never done this before, I am not sure that I have covered the bases sufficiently so that when my registrar forwards the port, I can receive mail again. is there anything else I should be doing?

Peter

[cc_skavenger]

pwalter,
I m confused.  
Outbound mail goes out port 25 (smtp).
Incoming mail comes in on port 110 (pop).

Are you trying to change the port to send out mail?

[pwalter]

cc_skavenger,

The sequence of events as I have it:
1) my mail server is working fine for incoming mail. Outbound mail is routed by SME through Really Big ISP's mail server because my dynamic IP addresses are RBL'ed.
2) Being tired of pptp connection issues etc. to other servers, I apply for a static ip address so I can try IpSec VPN instead.
3)I Get a static address. Incoming mail delivery stops. Outbound mail delivery continues. I call up the Really Big ISP to help diagnose why inbound mail has ceased. They tell me it is because they block port 25 connections to non-commercial static ip addresses, so other mail servers can no longer "talk" to mine. They explain  that outbound mail continues because my mail server is routing mail through their mail server; which they have to allow because both commerical and non-commercial customers route through the same outbound server.
4) In desperation for a solution, other than doubling my DSL bill by becoming a commercial customer, I check the FAQ at my registrar. http://support.easydns.com/tutorials/Portforwarding/
It suggests redirecting the port. That is what I am attempting to set up.

AFAIK, port 110 is relevant when a *mail client* connects to a mail server for POP mail - the situation here is mailserver-to-mailserver issues. But I have been wrong before and might be wrong now. Perhaps there is someone out there who understands mail systems better than I do who would be willing to confirm whether I am an on the right path or not.

Peter

[pwalter]

Well, I finally got it working, and am receiving mail again. However, it appears that there is a simpler way of reconfiguring SME to use an alternate SMTP port - one that does not require so much messing with configuration files. See the thread
http://forums.contribs.org/index.php?topic=5236.0
I am not sure it will work with 6.0.1 - but I will report back if it does or not.

Peter

[meanpenguin]

pwalter,
I m confused.  
Outbound mail goes out port 25 (smtp).
Incoming mail comes in on port 110 (pop).

Are you trying to change the port to send out mail?

It's all relative....
It all depends on the point of reference

When a machine out in the internet is delivering mail to you (SME), it connects to your server (SME) on port 25.

When your client (i.e thunderbird or outlook) wants to send email, it delivers by connecting to your mail server (SME) on port 25.

But from the SME's point of view, it is always receiving email.  And it receives on port 25 (SMTP)


Same thing applies to the POP just in reverse...

Thanks,
Edward

[meanpenguin]

Well, I finally got it working, and am receiving mail again. However, it appears that there is a simpler way of reconfiguring SME to use an alternate SMTP port - one that does not require so much messing with configuration files. See the thread
http://forums.contribs.org/index.php?topic=5236.0
I am not sure it will work with 6.0.1 - but I will report back if it does or not.

Peter

One thing that the other method will give you is that your port 25 is still functional.

Your method does not allow mail delivery on port 25.
(So if you have thunderbird, and point it to your sme as the smtp server, you will have to specify port 2525).  The SMTP server is not listening on port 25...


Using the method specified in the link, it just redirects all traffic going to port 2525 to 25 so both  ports work....

did that make sense....?

But i'm not sure if it's easier....

Ed

[pwalter]

One thing that the other method will give you is that your port 25 is still functional.

Your method does not allow mail delivery on port 25.
(So if you have thunderbird, and point it to your sme as the smtp server, you will have to specify port 2525). The SMTP server is not listening on port 25...

Yes, port 25 is no longer functional. I have reconfigured my mail client to send on port 2525 instead. However, I am concerned that the reconfiguration has broken other things - RBL rejection (Knuddi's spamassassin contrib) seems to be broken now, and I have no idea what else. At the same time, Charlie Brady has pointed out http://forums.contribs.org/index.php?topic=5233.msg18479#msg18479 That the redirection using the redir script might compromise security:

That would likely make external connections appear as though they were connection from a local network address (127.0.0.1), which will give public access to things which should be local only

If this is true for port 25, I am concerned about inadvertently opening up the mail server to external access, possibly mail relaying. I am not sure what the "best practices" would be here. Can anyone with more technical knowledge comment on this?

[meanpenguin]

You many want to go over the developers mailing list and do a search on mailfront, qmail, ...  

SME has a layered approach to email and I believe mailfront is the first in line.  There are "proper" ways to hook into the email chain (allowing spamassassin to work properly).

By changing the services file, that may have broken the chain.  You may be bypassing the mailfront as well and that is a bad thing....

Ed

[pwalter]

You many want to go over the developers mailing list and do a search on mailfront, qmail, ...

Yes, been there, done that - didn't see anything that might be applicable to my situation, or, more likely, what I saw I didn't understand. From what I see, posting  a question to the dev list might, at best, be ignored, and, at worst, I would probably get a flaming reply that it is not a dev question, but a configuration issue. That is why I am posting here. I had hoped that I might get an answer from someone who is knowledegable about the email chaining in SME 6.0.1, and could advise on the best method to use, keeping mail security in mind. I imagine that others who need to run their mail server on an alternate port would benefit from a HOWTO, which I would write after testing it first. I would much prefer to keep the SMTP port at 25, using the redir script, but I am mindful of creating security holes, too.

[pwalter]

A final update ...
Everything seems to be working ok, except that RBL rejection in Jesper Knudsen's spam filter panel no longer works. Jesper (may his paypal account overflow) was kind enough to explain that the RBL rejections no longer occur because my registrar is now *forwarding* my mail to my alternate mail server port, instead of merely informing the mail sender of the ip address of my mail server; therefore, all mail has the "sender ip" of my registrar, and RBL rejection depends upon examining the sender ip. But I can live with that - my registrar has very kindly turned on RBL checking themselves, so my server no longer has to do it anyway. The only downside I can detect to the method I used is that all the mail clients have to be reconfigured to send mail on port 2525, instead of 25 - which may be a hassle in a large installation, but, then, a large installation probably does not have port 25 blocked, anyway.

I hope this helps someone else with a similar problem.

Peter

[TrevorB]

Peter.

I have been using the redir method for a couple of years now, but the only variation on that post was that I set up a simple script smtp-redir (and similar for www-redir as my isp also blocks port 80) that uses the settings for my $OUTERNET that is called as part of the ip-up and ip-change processes.

<Script (smtp-redir located in /etc/e-smith/events/actions):>
#!/bin/sh

#------------------------------------------------------------
# Hacked script to try to redirect smtp traffic from external
# port 2525 to internal port 25
#------------------------------------------------------------

# description: Configures IP redirection from an external port to an alternate internal port.

    OUTERNET=$(/sbin/e-smith/db configuration get ExternalIP)
    /usr/local/bin/redir --lport=2525 --laddr=$OUTERNET --cport=25 --caddr=127.0.0.1 &

exit 0
</script>

and include symlinks in /etc/e-smith/events/ip-up & ip-change of S88-smtp-redir that point at this script :
ln -s /etc/e-smith/events/actions/smtp-redir /etc/e-smith/events/ip-up/S88-smtp-redir
ln -s /etc/e-smith/events/actions/smtp-redir /etc/e-smith/events/ip-change/S88-smtp-redir

This will start the redirection every time you boot and on a change of ip (if you are assigned a dynamic ip - not necessary for you at the moment, but may be needed in the future or by others).

Trevor B

[pwalter]

Trevor B,

Thanks for the instructions - they may become useful to me in the future, for dynamic ip addresses. I assume you have not had any of the security issues Charlie warned about in his post. Your method avoids having to reconfigure the mail clients, and leaves port 25 still functional.

Peter

[TrevorB]

A quick update (triggered by an e-mail/post from Charlie Brady  a while ago...)

Please change --caddr=127.0.0.1 to --caddr=$OUTERNET, otherwise your external port 2525 looks like an internal port (with inherent security & relay risks).

The updated script is:
<Script (smtp-redir located in /etc/e-smith/events/actions):>
#!/bin/sh

#------------------------------------------------------------
# Hacked script to try to redirect smtp traffic from external
# port 2525 to internal port 25
#------------------------------------------------------------

# description: Configures IP redirection from an external port to an alternate internal port.

    OUTERNET=$(/sbin/e-smith/db configuration get ExternalIP)
    /usr/local/bin/redir --lport=2525 --laddr=$OUTERNET --cport=25 --caddr=$OUTERNET &

exit 0
</script>

Trevor B