Topic: Port 25 blocked - Email dead in the water.

[janet]

calisun

You don't say what you actually did to change your server port.
If you created a custom template, then delete it and do
signal-event post-upgrade
reboot

or if you used the db command that was suggested then do
config setprop smtpd TCPPort 25
signal-event email-update

[CharlieBrady]

Since I do not have a static IP from Comcast, my MX records and DNS issues are handled by www.easydns.  In this case I consulted with the techs at easydns and modified my MX records to direct incoming mail to my home server on port 587.

MX records are unable to do that. However MX records are able to direct your mail to an easydns server, and they can then relay it to you on port 587.

[CharlieBrady]

You don't say what you actually did to change your server port.

Not that it was ever necessary to change the server port. The port forwarding panel in the server manager makes it possible for services to effectively listen to multiple ports, so calisun could have forwarded post 587 to localhost:25.

[CharlieBrady]

When it changes my email dies, I then check the IP address in my router vs the one on "file" with easydns.com in my MX records. 

Ah, so you have a router with an IP address. That complicates things. That means your SME server isn't connected directly to the Internet, and you need to fiddle with port forwarding in your router before there is any connectivity from the Internet to your SME server.

[arne]

The tree last posts from CharlieBrady looks perfectly right and correct for me, when it comes to arguments and conclusions.

On the other hand I think the discussion abouve leaves some unclear arguments if the port 25 is really closed or not.

Her is a link to a external port scanner that can tell something abouth how things (open ports) looks from the outside.

I hope it will work: https://www.grc.com/x/ne.dll?bh0bkyd2

If there is a router that has a external ip, port 25 and/or port 587 will have to be forwarded to port 25 at the server.

An external scanning will show port 25 or port 587 as open if they are forwarded to port 25 at the server. (And if there is no filtering from the isp that will bloch the connection.)

I think it is correct that the only practical way tu run mail serive on a "unstandard port trough the isp connection" is to use an external mail server that resends from standard port 25 to the prefered unstandard port (587). (Because all other mail server that will try to send mail to you will send on port 25, so it will not help much to listen to a port 587 that no one will use, unless you retransmitt to this port youself.)

The good thing about having a router in front of the sme server is that you can use a unstandard port without any changes or configuration of the sme server at all. (But there will be neccessarry to use an adidtional external mail server to resend to the prefered port.)

First of all one will have to know for sure if one has en external ip at the server or not. From shell type "ifconfig" to see the server ip. Then visit this web page: http://www.myip.dk If the two ip's are the same, yuu will have an external ip to your server. If they are different there is a router, and forwarding will be required.

If there is a router, a good next step will be to first try to forward port 25 (to 25) and then port 587 (to 25) to see if any of those ports is "visible" via an external port scanning.

The last arguments is actually only valid for receiving mail and not sending, but it is a start. (Normally the port 25 direction out will be open for most isp's)
To find out if port 25 out is open one can use an internal port scanner and scan an known mail server direction out, or just try to run the mail server to see if it can send in direction out. If it should be blocked in traffic direction out, then it will be required to use an external mail server to resend from the unstandard open port to port 25, so mail can reach other mail servers on the standard port.

By the way, if it should be required to use an alternative port in traffic direction out, how can you reconfigure a standard router or the sme server to do that ? This last answer I do not know. (But hopefully port 25 direction out will apear to be open.) (Unless mail adresses can be like this: acount@domain.com:587 I can not remeber if this will work or not.)

[arne]

To se if there is a "connection" traffic direction inbound, then one can use the external port scanner as linked above.

To see if there is a open connection in traffic direction uoutbound one method that can be used is this:

Download putty http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
(To a Windows PC)

Know a friend or somebody with a running sme server. (I hope contribs.org can be this friend.)

Connect to the server using the putty program by setting parameters like this:

1. Select "telnet"
2. Type inn the address to the server.
3. Port 25.
4. Close windows on exit: Never

The response from the running sme 7.3 (Qmail) mail server (my server at home) will be like this:
"450 Connecting host started transmitting before SMPT greeting"

The response from contribs.org is actually different:
"220 mail.contribs.org ESMTP Postfix"

This shows that contribs.org actually does not use the Qmail server but a Postfix server.
(According to my point of view any server function should of safety reasons never be configured to show its identity this way.)
(The more information a hacker have about a server the more information he has for an attack. To collect such datas will often be the first phase of an attack.)

Of course an outbound port scanner is also an alternative option if one have such a scanner available.

The nmap port scanner can be easily installed on sme 7.3 using yum.

External port connection traffic direction out for port 25 can also or alternatively be checked like this:

[root@sme73guest ~]# nmap contribs.org -p 25

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2008-08-02 06:40 CEST
Interesting ports on contribs.org (75.146.90.141):
PORT   STATE SERVICE
25/tcp open  smtp

Nmap run completed -- 1 IP address (1 host up) scanned in 1.356 seconds

[calisun]

I did the https://www.grc.com/x/ne.dll?bh0bkyd2
And it tells me that port 25 is stealth and port 587 is closed (I did port forwarding 587 -> 25 localhost)

[Stefano]

:::::::Start Quote::::::::
It is not advised to run e-mail servers on a dynamic IP number.

I think this problem might be due to your IP change not being propagated through all the internet instantly. From your copied error messages, it seems that all messages are queued, albeit that they are delayed.
:::::End Quote:::::::::

Ted, could you please use the standard quote code?
reading your post on small screen (palm) is a pain

Thank you

Stefano

[janet]

Ted

Have you overlooked Charlies suggestion/answer ? You need to forward port(s) in your router (to your sme).

"Ah, so you have a router with an IP address. That complicates things. That means your SME server isn't connected directly to the Internet, and you need to fiddle with port forwarding in your router before there is any connectivity from the Internet to your SME server."

[arne]

Yes, of cource, if it is a router there, it will be required to make a port forwarding.

To see the open and working connection, two things must be true:

1. 1 the line or connection from the isp have to be open for that port. (In that traffic direction.)

2. If there is a NAT router, the proper port forwarding will have to be set up.

If a scanning is made using the external scanning tool it should be quite easy to see if there is a router or not.
If there is not a router, or ordinary ports like port 80 and port 443 will be visible. If there is a router most ports will be closed.
(Exept those forwarded.)

[calisun]

calisun

Have you overlooked Charlies suggestion/answer ? You need to forward port(s) in your router (to your sme).

"Ah, so you have a router with an IP address. That complicates things. That means your SME server isn't connected directly to the Internet, and you need to fiddle with port forwarding in your router before there is any connectivity from the Internet to your SME server."

I don't have a router, my SME server is connected directly to the cable modem

[arne]

OK.

1. Post a list of those ports that appear as open when doing the external port scan. https://www.grc.com/x/ne.dll?bh0bkyd2

2. Post information about the ip addresses you can see when you type "ifconfig" from shell on server. If you like you can make it anonymous by replacing the two last digits with x like this: 83.192.x.x

3. go to this web page http://www.myip.dk Post the ip here. The two last digits can again be replaced with .x.x not to keep things anonymous.

With this posting we should have some 100 % conclusions how the network connection work, when it comes to the ability to receive mail. These things are actually rather easy to find out about if testing and posting here is done with some accuracy.

(There could still be a router or a firewall there somwhere. This we will now find out.)

By the way, you can also log into shell to the server and type this command, it should bring even more light over the situation:

" tracerote contribs.org "

Post the first 8 steps here. Some of the last digits can be replaced with .x.x if you like.

[janet]

calisun

I don't have a router, my SME server is connected directly to the cable modem

Sorry, that was a quote from Ted that Charlie replied to, and I incorrectly ascribed it to you.

My comment should have been directed to Ted.

[janet]

calisun

I don't have a router, my SME server is connected directly to the cable modem

How is your sme server configued, Server & gateway - dedicated mode ?
What option did you choose for External Interface Configuration ie
option 1  DHCP (Account name as client identifier) or option 2 DHCP (Ethernet address as client identifier) ?

Actually, are you still chasing an answer re your Comcast setup, or have you co-located your server ?

[calisun]

Yes, I am still trying to work out Comcast. I just lost my job yesterday, so I am trying to save some $$.

I am leaving for vacation tonight (scheduled before my layoff)(Bastards told me, have fun on your vacation, by the way, here is your last paycheck)
So I will answer all the questions when I return in a little over a week.