Topic: Port 25 blocked - Email dead in the water.

[arne]

If you post answers to the questions I posted above, there should be some clear conclusions.

[arne]

One more aditional information.

This command: tcpdump -i eth0 -n tcp port 25

.. will show a listing of all packets as your server tries to send or receive mail.

This command togeteher with the commands mentioned above should give a reasonable clear picture of the network related problems.

To find a conclusion if two servers can comunicate and eventually which port they can comunicate on, is usually rather simple questions, with some clear conclusions, if the proper tools are used.

[zatnikatel]

just a little thing i have been told that if you use tcpdump you should use a hub and not a switch and this i was told by a person who is very high network Architect

[arne]

Of cource, if you do it (tcpdump) over network an on one other machine than the one you are trobleshooting.

In this case this wil propably not be the situation.

If you do it (tcpdump) on the server you are trobleshooting, then the switch/hub problem will not exist. Anyone can send a mail via webmail, and run " tcpdump -i eth0 -n tcp port 25 " and see a printout of the packet traffic. This is supported by the sme server as default.

[electroman00]

First....ISP's typically do not block port 25....they filter port 25.

With that said, one might surmise the solution.

server-manager > email > Change e-mail delivery settings > SMTP server

Although the instructions leave something to be desired, never the less read and understand the instructions.

SMTP server
The server can deliver outgoing messages directly to their destination (recommended in most cases) or can
deliver them via your Internet provider's SMTP server (recommended if you have an unreliable Internet connection
or are using a residential Internet service). If using your Internet provider's SMTP server, specify its
hostname or IP address below. Otherwise leave this field blank.

If your ISP requires Authentication to send mail (all do) use your ISP mail server here with password for any email
account you have setup with them per the instructions above.

i.e. smtp-mail.comcast.com
&
any user & password email account setup on their system for Authentication.

User and password will only be used for authentication of smtp port 25 usage.
SME can then use the port authenticated by that user and all mail from yourmailserver FQDN on SME will be sent on port 25 SMTP.
Keep in mind that any user/system that uses an ISP's smtp port 25 must be authenticated.
Any ISP smtp usage that is not authenticated via a valid user/password is BLOCKED.

So what most think is a port block is actually a authentication block.

MX record should point to yourmailserver FQDN on SME, not your ISP's mail pop3 server.
Your ISP does not block or filter pop3 port 110.
Well they may have a AV or spam blocker running on it.... possibly.
What that means is you can receive all the email you want, to yourmailserver FQDN on your SME.

i.e. mail.mySMEserver.xxx

Sending smtp is filtered, most all ISP's filter port 25 even on a business account.
With a business account you have to provide them with your yourmailserver FQDN and it will be filtered based on that.

Your client mail would use yourmailserver FQDN for send and receive and SME would need
to be within local access to clients.

Client config...

pop
mail.mySMEserver.xxx
smtp
mail.mySMEserver.xxx

If an ISP blocks smtp port 25 then you cannot send via their mail.ISPserver.xxx or any other server.

Another way of saying that is, your ISP is not providing any email service/accounts.

If they provide email accounts to you, you are filtered, not blocked.

Blocked = nothing can use the port.
Filtered = something (not everything) can use the port.

It is not advised to run e-mail servers on a dynamic IP number.

Cable providers typically have lease times greater then 10 min, so a cable modem can
be offline for up to 10 min's and it should maintain the same IP.
Simple testing is to power the modem down for 10, 20 & 30 min's and check to see if IP is renewed.

Even with a static IP your mail server could be down and all email's that would have been received
would be lost, returned to sender as undeliverable.

Therefore it's advised to have a MX backup, which easydns provides with it's DNS service.

Without easydns MX backup you would need another email server added to the MX record for backup.

In this case I consulted with the techs at easydns and modified my MX records to direct incoming mail to my home server on port 587.

That only needs to be done if you circumvent port 25 smtp.

If you follow the instructions above you shouldn't have to circumvent port 25 smtp.

If you then have a easydns MX backup on their server, you simply manually request the backup when
your mail server is back in service and back up emails will be sent.

Port Forwarding PF

1 - SME server/gateway > directly connected to internet - no PF needed (default SME)
2 - SME server/gateway > separate firewall DMZ connect to internet - PF 25 & 110 on firewall
3 - SME server only mode > separate firewall DMZ connect to internet - PF 25 & 110 on firewall
4 - SME server only mode > separate firewall LAN connect to internet - PF 25 & 110 on firewall

HTH

[ksg]

Increasingly, these days, ISPs and others will not permit any SMTP access from machines with dynamic IP addresses, so running your own SMTP server will still not work unless you have a static IP address. Loa PowerTools, [REMOVE SHAMELESS PLUG] offers a service to overcome this problem.

[REMOVE SHAMELESS PLUG]

[CharlieBrady]

Increasingly, these days, ISPs and others will not permit any SMTP access from machines with dynamic IP addresses ...

Really? Can you provide evidence to support your assertion? Which ISPs don't provide an SMTP server which can be used by their customers?

[janet]

ksg

I have been running a mail and web server using sme and using a dynamic IP connection with my ISP for  a couple of years without any problem.

It depends on the policy of the ISP. Just don't use one who does not provide all services, and the one I'm using is both cheap & reliable.

Choose ISP's wisely and shop around first.

There are workarounds (for sme) for situations where ISP's do limit port 25 access.

[pherder]

Really? Can you provide evidence to support your assertion? Which ISPs don't provide an SMTP server which can be used by their customers?

Verizon wireless does not.  I know this personally since I set my mother up with them (Verizon WLAN card built into the laptop).

I guess they expect users of cellular wireless lan cards to be businesses that have their own mail server.  She just happens to be in a location where their isn't any wired high speed ISPs available and this was cheaper than HughesNet.

[ksg]

Well, among many, many others:

http://www.ic.gc.ca/epic/site/ecic-ceac.nsf/en/gv00329e.html:

Stopping Spam: Creating a Stronger, Safer Internet
Report of the Task Force on Spam
May 2005
Recommended Best Practices for Internet Service Providers and Other Network Operators
.....

2. ISPs and other network operators should limit, by default, the use of port 25 by end-users. If necessary, the ability to send or receive mail over port 25 should be restricted to hosts on the provider's network. Use of port 25 by end-users should be permitted on an as-needed basis, or as set out in the provider's end-user agreement / terms of service.

Most ISPs and other network operators agree that there is no practical reason for dial-up / dynamic IP-address ranges to have email servers at the customer end.

There are a variety of ways to avoid this. Through their own network management, ISPs and other network operators can block the use of port 25 on an egress basis.

It has been the experience of members of the Working Group that blocking port 25 affects very few users, and that these users can usually be accommodated in other ways.

The benefits of blocking port 25 are frequently dramatic — some ISPs have seen a 95-percent drop in virus emissions, a 98-percent drop in abuse reports, a reduction in internal viruses / compromised machines used to send spam and attendant cost savings in abuse-related network management.


and

http://www.infoworld.com/article/08/06/26/Antispam_group_outlines_defenses_to_block_botnet_spam-IDGNS_1.html

referencing:

http://www.maawg.org/news/maawg080625

Antispam group outlines ways to block spam from botnets
MAAWG recommends new best practices for ISPs to stop increasing volumes of spam

By Jeremy Kirk, IDG News Service
June 26, 2008
...

MAAWG's [the Messaging Anti-Abuse Working Group] primary suggestion for ISPs is to block all machines on dynamic IP addresses that are sending e-mail on port 25 outside their own network unless there are special, legitimate circumstances. The idea has been "very central" to antispam fighters, Cox said.

etc. etc.

[arne]

I know at least one ISP that does that control of outgoing port 25 traffic by monitoring the users traffic, and if the traffic is detected to be "unnormal" the port 25 is closed. The reason I know this is because I have helped a number of people to get their lines opened again after it has been blocked after detection of outgoing spam. The explanation from the ISP has been that there had been a spam detection and that the line would be opened again on port 25 direction out if the spam source has been removed.

By the way if port 25 should be closed, tunneling to some endpoint behind the blocking should work. (But ofcource the capacity will be less.)

[electroman00]

"I know at least one ISP that does control of outgoing port 25 traffic by monitoring the users traffic"

 (true but vague)

emails sent in a given time period trap (trap.. not filter)

(I've seen 50 per minute and 10 per second.... ouch)

Spam engines can send a 1000 email in a few seconds.

If you trigger that trap, they will block port 25 and you have to prove your not running a

spam engine and/or infected with a virus.

Notice I said "you have to prove your not running a spam engine"

Don't say I turned off the email server or I can't send email's from my email server....da...!!

Tell them you found the virus and fixed it. 

Then they can enable 25 in a heartbeat.

There is no way your ISP can tell if emails are from a client or a server from the emails themselves. (true)

That's why they use a Counter/Time period trap.

Most ISP have the trap because they want and you want them to stop the spammer's.

So why not work with them.!!

There's no reason to be angry with them for using the trap, their doing the right thing, protecting the internet.

They really don't care if you run a email server that doesn't effect their system or customers.

They just want to stop irresponsible asshole spammers.

And they need everyone's help..!!

So everyone needs to be a responsible residential IT and help them, buy setting things up properly.

BTW they also run the trap on Business accounts...you can bet on it..!!
So those accounts are a bit more difficult to get turned back on if you trigger the the trap.

Residential accounts they first assume you have a virus.
Business accounts they assume you are a spammer first.

[arne]

.. So for reasonable and proper use, port 25 is actually "open" (in the meaning "can be used"), on most internet connection lines, when it comes to the situation for the outbound traffic. For the inbound traffick the situation might be a bit more "variated".

"There is no way your ISP can tell if emails are from a client or a server from the emails themselves. (true)"

.. And because of this a program like Microsoft Outlook would stop working when conected to an other mail server than your isp's, if port 25 were "blocked" (in the meaning the internet connection line will not transport datas for the customer). I believe that it is not likely to belive that most ISP's will prevent MS Outlook to do it's standard job.

Because of this the SME home server will normally also have an open connection out, as long as the internet connection is used in a proper and reasonable way. (But many providers filters/block the port 25 connection in traffic direction inbound. The only practical way to solve this is to have an external mail server that can receive the mail traffic and resend it on an alternatvive open port in the trafic direction inbound to the server.)

A "standard scenario" will be to find that there is an open connection for outbound traffic, while it might be blocked for port 25 inbound traffic direction.

Then next step will then be to find an alternative open port for the inbound traffic, and then to find a way to set up an external server to resend via this alernative port. By using the forwarding function of the sme server (on the server-manager panel) it can also receive mail on an alternative port.

Right ?!

(No, I does not have all the answers, and I just try to learn something new, and to understand things bether all the time.)

By the way these MX records these will have to do something with this situation "to redirect the mail traffic to an external mail server that can resend the traffic to your server on an alternative port". This last step I have actually never tried, but I guess it should work like this. 

[CharlieBrady]

Really? Can you provide evidence to support your assertion? Which ISPs don't provide an SMTP server which can be used by their customers?

I don't mean to suggest that there aren't ISPs which block SMTP traffic into or out of their networks.

I was specifically responding to ksg's suggestion that you can't run a mail server on a dynamic IP because other mail server's won't accept mail from such dynamic IPs. The ISPs mail server can be/should be used as outbound SmartHost in those circumstances.

[electroman00]

Verizon wireless does not.  I know this personally since I set my mother up with them (Verizon WLAN card built into the laptop).

I guess they expect users of cellular wireless lan cards to be businesses that have their own mail server.
She just happens to be in a location where their isn't any wired high speed ISPs available and this was cheaper than HughesNet.

Just as a point of clarification, we're talking about a email server on a wired network.

Also Verizon does provide email accounts on a wireless broadband account.

To use a email client you have to authenticate to Verizon's Network and then authenticate to the email account.

Or use Verizon Webmail....your choice.

My buddy has Verizon Wireless and me was sending emails on his laptop via Outlook Depressed
at 75 mph, works a treat.

You could wire SME to the laptop and setup a wireless email server.

Bridge the wired nic to the wireless nic and wango tango...SME wireless email server.!!

For that matter you could VM and get it done, no wires.