Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: Ted on June 10, 2008, 06:58:25 AM
-
Comcast cable blocked port 25 on me. Depending on which comcast tech I talk to I get conflicting answers. 1) For everybody. 2) This region. 3) Only you. 4) "I don't know nothing 'bout birthing no ports".
However the first Comcast tech I talked to (and the most helpful) told me to switch to port 587. I changed my email clients to use port 587 and I was able to send emails. I still could not receive them.
My server acts as a email server for my wife and I on our two domains. It also is a web server for those domains and is the family file server. It is a server only SME 7.3 living inside my home network behind my "firewall", a Linksys BEFSX4.1 that protects the network.
Since I do not have a static IP from Comcast, my MX records and DNS issues are handled by www.easydns. In this case I consulted with the techs at easydns and modified my MX records to direct incoming mail to my home server on port 587.
Success, it worked.... Except when it does not. at least once a day for 3 to 4 hours no mail comes in. I know it is out there, I can access some of it on the yahoogroups site, but nothing comes in.
Below is a copy of the error log from easydns. They seem to think that it is a server problem
Note that my ip has been changed.
::::::::::::::::::::
telnet mail.shadowsfall.org 587
Trying ab.cde.f.gh...
telnet: connect to address ab.cde.f.gh: Operation timed out
telnet: Unable to connect to remote host
*Snipped of some of the logs for monika@aviondreams.com (status deferred due to connection timed out on port 587.
Jun 6 07:13:41 forward1 postfix/smtp[25864]: B055D50CEC: to=<monika@aviondreams.com>, relay=none, delay=46, status=deferred (connect to mail.shadowsfall.org[ab.cde.f.gh]: Connection timed out)
Jun 4 06:41:07 forward2 postfix/smtp[31987]: 603CE80876: to=<monika@aviondreams.com>, relay=none, delay=1240, status=deferred (connect to mail.shadowsfall.org[ab.cde.f.gh]: Connection timed out)
Jun 4 06:48:51 forward1 postfix/smtp[31050]: 753BB19EA2: to=<monika@aviondreams.com>, relay=none, delay=30, status=deferred (connect to mail.shadowsfall.org[ab.cde.f.gh]: Connection timed out)
Jun 4 06:42:42 forward1 postfix/smtp[31165]: 144A5198FB: to=<monika@aviondreams.com>, relay=none, delay=3865, status=deferred (connect to mail.shadowsfall.org[ab.cde.f.gh]: Connection timed out)
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
snipped of sent emails.
Jun 6 06:29:34 forward2 postfix/smtp[1692]: 4016CB702F: to=<monika@aviondreams.com>, relay=mail.shadowsfall.org[ab.cde.f.gh], delay=7, status=sent (250 Queued! 1212748174 qp 13003 <20080606102922.DAEC49F754@signal.groundspeak.com>)
Jun 6 06:31:29 forward2 postfix/smtp[8938]: A6454B723C: to=<monika@aviondreams.com>, relay=mail.shadowsfall.org[ab.cde.f.gh], delay=7, status=sent (250 Queued! 1212748289 qp 13017 <20080606103122.6E89AA1191@signal.groundspeak.com>)
Jun 6 06:40:44 forward2 postfix/smtp[15022]: 3AF7BB7A86: to=<monika@aviondreams.com>, relay=mail.shadowsfall.org[ab.cde.f.gh], delay=26, status=sent (250 Queued! 1212748844 qp 13034 <1212748812.22.5706.m46@yahoogroups.com>)
Jun 6 07:40:46 forward1 postfix/smtp[24360]: B50554FD1A: to=<monika@aviondreams.com>, relay=mail.shadowsfall.org[ab.cde.f.gh], delay=17, status=sent (250 Queued! 1212752446 qp 8947 <3160960026@que04.irvine.ilinkmd.com>)
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
snipped of sent emails for ted@shadowsfall.org.
Jun 6 07:48:27 forward2 policyd: rcpt=3113238, whitelist=update, host=66.218.67.216 (n25c.bullet.scd.yahoo.com), from=sentto-104861-165462-1212752906-tedshadowsfall.org@retur, to=ted@shadowsfall.org, size=0
Jun 6 08:42:45 forward1 postfix/smtp[19049]: 5524F18601: to=<ted@shadowsfall.org>, relay=mail.shadowsfall.org[ab.cde.f.gh], delay=4, status=sent (250 Queued! 1212756165 qp 9304 <E1K4bAt-0007Ct-00@pop05.mail.atl.earthlink.net>)
Jun 6 08:46:18 forward1 postfix/smtp[23434]: D62C721584: to=<ted@shadowsfall.org>, relay=mail.shadowsfall.org[ab.cde.f.gh], delay=19, status=sent (250 Queued! 1212756378 qp 9321 <4848f941j40088-qpmcwithj@slateaspen.com>)
Jun 6 09:07:58 forward1 postfix/smtp[11254]: 2362051218: to=<ted@shadowsfall.org>, relay=mail.shadowsfall.org[ab.cde.f.gh], delay=15, status=sent (250 Queued! 1212757679 qp 9521 <4848fdfcu10c6b3-q36i6kp4r@pepperminthoneykismet.com>)
Jun 6 09:53:16 forward1 postfix/smtp[17428]: 36A2021B58: to=<ted@shadowsfall.org>, relay=mail.shadowsfall.org[ab.cde.f.gh], delay=5, status=sent (250 Queued! 1212760396 qp 9789 <48490889le5c4f-qyekox5o3@hazelcardinal.com>)
:::::::::::End Cut::::::::::
Any thoughts on this? This was never a problem until Comcast blocked port 25 and I had to do the port 587 work around.
Are the two even related or is it just coincidence that this appeared. Could a recent update be causing this problem?
Ted
-
Comcast cable blocked port 25 on me. Depending on which comcast tech I talk to I get conflicting answers. 1) For everybody. 2) This region. 3) Only you. 4) "I don't know nothing 'bout birthing no ports".
However the first Comcast tech I talked to (and the most helpful) told me to switch to port 587. I changed my email clients to use port 587 and I was able to send emails. I still could not receive them.
My server acts as a email server for my wife and I on our two domains. It also is a web server for those domains and is the family file server. It is a server only SME 7.3 living inside my home network behind my "firewall", a Linksys BEFSX4.1 that protects the network.
Since I do not have a static IP from Comcast, my MX records and DNS issues are handled by www.easydns. In this case I consulted with the techs at easydns and modified my MX records to direct incoming mail to my home server on port 587.
Success, it worked.... Except when it does not. at least once a day for 3 to 4 hours no mail comes in. I know it is out there, I can access some of it on the yahoogroups site, but nothing comes in.
Below is a copy of the error log from easydns. They seem to think that it is a server problem
Note that my ip has been changed.
It is not advised to run e-mail servers on a dynamic IP number.
I think this problem might be due to your IP change not being propagated through all the internet instantly. From your copied error messages, it seems that all messages are queued, albeit that they are delayed.
Any thoughts on this? This was never a problem until Comcast blocked port 25 and I had to do the port 587 work around.
Are the two even related or is it just coincidence that this appeared. Could a recent update be causing this problem?
I do not know, but your best bet is to ask your provider for a fixed IP address.
-
:::::::Start Quote::::::::
It is not advised to run e-mail servers on a dynamic IP number.
I think this problem might be due to your IP change not being propagated through all the internet instantly. From your copied error messages, it seems that all messages are queued, albeit that they are delayed.
:::::End Quote:::::::::
It may not be advised, however this setup has been working for me for several years. On the average my Comcast provided IP address changes every 12 to 14 months. It may be DHCP but does not change much. When it changes my email dies, I then check the IP address in my router vs the one on "file" with easydns.com in my MX records. Change the MX record, apply the changes and within 10 minutes my email is working again for another year. No muss, very little fuss and about $500 a year cheaper then a static IP from Comcast.
What I don't know is what has changed or how to fix it? Why does the email work all day then quit for several hours at night. Tonight it died a few minutes after 6PM (pacific time) and started up around 10:38. My IP has been constant throughout this whole time. It is not a factor of a changing IP. Either something that Comcast is doing is causing the problem or out of the blue my server has decided that it needs a couple hour break every day.
Ted
-
cactus. I new see what you were saying. In my first post I said "Note that my IP address has been changed." I meant that I had changed it from the actual IP address to abc.de.f.gh . Not that my IP address itself had changed at anytime in this fiasco.
Ted
-
non standard ports are a pain
it looks more like a port problem i live in Australia and i have heard many bad thing about comcast on the net
delay can mean if the email server is not use helo command some place will delay it yahoo is bad on that i would say it has more to do with comcast than anything else some email server may bork at the different port number
i noticed in the info you sent that a postfix server was in the logs SME uses qmail is that how your DNS works though easydns does it go onto there mail server then get forwarded to SME via you ipaddress
-
Ted
Comcast cable blocked port 25 on me
.
http://wiki.contribs.org/PortRedirect
-
Ted
.
http://wiki.contribs.org/PortRedirect
that would work fine for him but i do hate ISP that block port 25 they want to control what people do which is not nice
the techrepublic has many articals and that don't have nice things to say about them
-
FYI Cox Cable does the same thing to it's home customers (i.e. block Port 25) so that extra (spam) traffic will not flood their networks from unsecured mail servers (what I was told by a Cox tech).
I will be studying the WIKI info listed above and trying it out.
Paul
-
Fixed it.
I had to attack the problem from the right angle. Having my Linksys router send all in bound mail (port 25 traffic) to my server on port 587 only worked part of the time. Why I don't know. Seems to me that it should have either worked or not worked. Not worked some time. But that is how it acted.
Solution was to configure my Server to use port 587 for SMPT not port 25.
Sonora Communications, Inc. had the answer.
http://www.sonoracomm.com/index.php?option=com_content&task=view&id=48&Itemid=32
Specifically this part.
:::::::::::::Quote
SME Server Configuration
Here we change the port that SME Server uses for SMTP.
Create a custom template directory:
mkdir -p /etc/e-smith/templates-custom/etc/services/
Copy the original template fragment to customize:
cp /etc/e-smith/templates/etc/services/10standard \
/etc/e-smith/templates-custom/etc/services/10standard
Edit the new fragment:
vim /etc/e-smith/templates-custom/etc/services/10standard
Change the line that says:
smtp 25/tcp mail
To say:
smtp 125/tcp mail
Then rebuild the /etc/services file:
/sbin/e-smith/expand-template /etc/services
Look at the /etc/services file to verify the changes:
cat /etc/services|grep smtp
Actuate the changes:
killall qmail-remote #optional – only needed if server is bogged down with SPAM
/sbin/e-smith/config setprop smtpd TCPPort 125
/sbin/e-smith/config set ASSP service TCPPort 25 status enabled access public
/sbin/e-smith/signal-event remoteaccess-update
/sbin/e-smith/signal-event email-update
Your SMTP server should now be listening on port 125. Test it like this:
telnet localhost 125
You should get something like:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 server.your.org mailfront ESMTP
Type 'QUIT' then <enter> to exit.
:::::::::::end Quote::::::::
Though in my case I used 587 not 125
and I skipped this line
/sbin/e-smith/config set ASSP service TCPPort 25 status enabled access public
because I don't believe it applied to me.
What can I say it worked.
Now I only have one small problem to fix.
When I try to send a email via Horde I get this error.
Error There was an error sending your message: unable to connect to smtp server localhost:25
Now I just have to figure out have to reconfigure Horde to use port 587.
Ted
-
that is good that it worked myself i would have changed ISP to another one that does not block port 25
-
All my email was fine for several years, all over sudden I got an email from Comcast saying that they believe my computer is infected and it is sending spam. So they said they blocked port 25 and they told me to configure Outlook to use port 587. ( I don't use outlook, and I don't even use window$, I use Ubuntu)
I followed steps outlined above to change SME server to use port 587, but I still can't send or receive email, no error messages, but the message does not get there.
Any ideas?
-
yes piss off comcast they are being sued i here now not a good ISP chose one that is not a pain in the ass or if they will point you MX records to your IP Address but you need a static ip address first or use a dynamic dns like noip on dyndns
-
I do have dynamic dns service, and everything was fine for last couple of years.
-
Now I only have one small problem to fix.
When I try to send a email via Horde I get this error.
Error There was an error sending your message: unable to connect to smtp server localhost:25
Now I just have to figure out have to reconfigure Horde to use port 587.
Ted
/home/httpd/html/horde/imp/config/servers.php is where it's set for horde.
Either create a custom-template for the line in servers.php or do config setprop smtpd TCPPort 587 ; signal-event email-update. Servers.php uses this value when it's expanded.
John
John
-
Ok, I tried everything and I can't get email to work anymore. I think Comcast blocked me totally. Every time I reboot server and cable modem, I keep getting the same IP address. I plug in my computer to the modem directly and I get a different IP, but I plug in my SME server afterwards, and it gets the same IP as before. I tried leaving my server and modem off over night, and next morning I get the same IP.
Looks like Comcast banished my server totally.
So I have found a cheap co-location facility where I will put my server. Much more than what I pay with Comcast, but cheaper than what other co-location facilities are asking for.
My question is, how do I reverse above mentioned instructions, so my email server listens to port 25 again?
-
calisun
You don't say what you actually did to change your server port.
If you created a custom template, then delete it and do
signal-event post-upgrade
reboot
or if you used the db command that was suggested then do
config setprop smtpd TCPPort 25
signal-event email-update
-
Since I do not have a static IP from Comcast, my MX records and DNS issues are handled by www.easydns. In this case I consulted with the techs at easydns and modified my MX records to direct incoming mail to my home server on port 587.
MX records are unable to do that. However MX records are able to direct your mail to an easydns server, and they can then relay it to you on port 587.
-
You don't say what you actually did to change your server port.
Not that it was ever necessary to change the server port. The port forwarding panel in the server manager makes it possible for services to effectively listen to multiple ports, so calisun could have forwarded post 587 to localhost:25.
-
When it changes my email dies, I then check the IP address in my router vs the one on "file" with easydns.com in my MX records.
Ah, so you have a router with an IP address. That complicates things. That means your SME server isn't connected directly to the Internet, and you need to fiddle with port forwarding in your router before there is any connectivity from the Internet to your SME server.
-
The tree last posts from CharlieBrady looks perfectly right and correct for me, when it comes to arguments and conclusions.
On the other hand I think the discussion abouve leaves some unclear arguments if the port 25 is really closed or not.
Her is a link to a external port scanner that can tell something abouth how things (open ports) looks from the outside.
I hope it will work: https://www.grc.com/x/ne.dll?bh0bkyd2
If there is a router that has a external ip, port 25 and/or port 587 will have to be forwarded to port 25 at the server.
An external scanning will show port 25 or port 587 as open if they are forwarded to port 25 at the server. (And if there is no filtering from the isp that will bloch the connection.)
I think it is correct that the only practical way tu run mail serive on a "unstandard port trough the isp connection" is to use an external mail server that resends from standard port 25 to the prefered unstandard port (587). (Because all other mail server that will try to send mail to you will send on port 25, so it will not help much to listen to a port 587 that no one will use, unless you retransmitt to this port youself.)
The good thing about having a router in front of the sme server is that you can use a unstandard port without any changes or configuration of the sme server at all. (But there will be neccessarry to use an adidtional external mail server to resend to the prefered port.)
First of all one will have to know for sure if one has en external ip at the server or not. From shell type "ifconfig" to see the server ip. Then visit this web page: http://www.myip.dk If the two ip's are the same, yuu will have an external ip to your server. If they are different there is a router, and forwarding will be required.
If there is a router, a good next step will be to first try to forward port 25 (to 25) and then port 587 (to 25) to see if any of those ports is "visible" via an external port scanning.
The last arguments is actually only valid for receiving mail and not sending, but it is a start. (Normally the port 25 direction out will be open for most isp's)
To find out if port 25 out is open one can use an internal port scanner and scan an known mail server direction out, or just try to run the mail server to see if it can send in direction out. If it should be blocked in traffic direction out, then it will be required to use an external mail server to resend from the unstandard open port to port 25, so mail can reach other mail servers on the standard port.
By the way, if it should be required to use an alternative port in traffic direction out, how can you reconfigure a standard router or the sme server to do that ? This last answer I do not know. (But hopefully port 25 direction out will apear to be open.) (Unless mail adresses can be like this: acount@domain.com:587 I can not remeber if this will work or not.)
-
To se if there is a "connection" traffic direction inbound, then one can use the external port scanner as linked above.
To see if there is a open connection in traffic direction uoutbound one method that can be used is this:
Download putty http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
(To a Windows PC)
Know a friend or somebody with a running sme server. (I hope contribs.org can be this friend.)
Connect to the server using the putty program by setting parameters like this:
1. Select "telnet"
2. Type inn the address to the server.
3. Port 25.
4. Close windows on exit: Never
The response from the running sme 7.3 (Qmail) mail server (my server at home) will be like this:
"450 Connecting host started transmitting before SMPT greeting"
The response from contribs.org is actually different:
"220 mail.contribs.org ESMTP Postfix"
This shows that contribs.org actually does not use the Qmail server but a Postfix server.
(According to my point of view any server function should of safety reasons never be configured to show its identity this way.)
(The more information a hacker have about a server the more information he has for an attack. To collect such datas will often be the first phase of an attack.)
Of course an outbound port scanner is also an alternative option if one have such a scanner available.
The nmap port scanner can be easily installed on sme 7.3 using yum.
External port connection traffic direction out for port 25 can also or alternatively be checked like this:
[root@sme73guest ~]# nmap contribs.org -p 25
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2008-08-02 06:40 CEST
Interesting ports on contribs.org (75.146.90.141):
PORT STATE SERVICE
25/tcp open smtp
Nmap run completed -- 1 IP address (1 host up) scanned in 1.356 seconds
-
I did the https://www.grc.com/x/ne.dll?bh0bkyd2
And it tells me that port 25 is stealth and port 587 is closed (I did port forwarding 587 -> 25 localhost)
-
:::::::Start Quote::::::::
It is not advised to run e-mail servers on a dynamic IP number.
I think this problem might be due to your IP change not being propagated through all the internet instantly. From your copied error messages, it seems that all messages are queued, albeit that they are delayed.
:::::End Quote:::::::::
Ted, could you please use the standard quote code?
reading your post on small screen (palm) is a pain :-)
Thank you
Stefano
-
Ted
Have you overlooked Charlies suggestion/answer ? You need to forward port(s) in your router (to your sme).
"Ah, so you have a router with an IP address. That complicates things. That means your SME server isn't connected directly to the Internet, and you need to fiddle with port forwarding in your router before there is any connectivity from the Internet to your SME server."
-
Yes, of cource, if it is a router there, it will be required to make a port forwarding.
To see the open and working connection, two things must be true:
1. 1 the line or connection from the isp have to be open for that port. (In that traffic direction.)
2. If there is a NAT router, the proper port forwarding will have to be set up.
If a scanning is made using the external scanning tool it should be quite easy to see if there is a router or not.
If there is not a router, or ordinary ports like port 80 and port 443 will be visible. If there is a router most ports will be closed.
(Exept those forwarded.)
-
calisun
Have you overlooked Charlies suggestion/answer ? You need to forward port(s) in your router (to your sme).
"Ah, so you have a router with an IP address. That complicates things. That means your SME server isn't connected directly to the Internet, and you need to fiddle with port forwarding in your router before there is any connectivity from the Internet to your SME server."
I don't have a router, my SME server is connected directly to the cable modem
-
OK.
1. Post a list of those ports that appear as open when doing the external port scan. https://www.grc.com/x/ne.dll?bh0bkyd2
2. Post information about the ip addresses you can see when you type "ifconfig" from shell on server. If you like you can make it anonymous by replacing the two last digits with x like this: 83.192.x.x
3. go to this web page http://www.myip.dk Post the ip here. The two last digits can again be replaced with .x.x not to keep things anonymous.
With this posting we should have some 100 % conclusions how the network connection work, when it comes to the ability to receive mail. These things are actually rather easy to find out about if testing and posting here is done with some accuracy.
(There could still be a router or a firewall there somwhere. This we will now find out.)
By the way, you can also log into shell to the server and type this command, it should bring even more light over the situation:
" tracerote contribs.org "
Post the first 8 steps here. Some of the last digits can be replaced with .x.x if you like.
-
calisun
I don't have a router, my SME server is connected directly to the cable modem
Sorry, that was a quote from Ted that Charlie replied to, and I incorrectly ascribed it to you.
My comment should have been directed to Ted.
-
calisun
I don't have a router, my SME server is connected directly to the cable modem
How is your sme server configued, Server & gateway - dedicated mode ?
What option did you choose for External Interface Configuration ie
option 1 DHCP (Account name as client identifier) or option 2 DHCP (Ethernet address as client identifier) ?
Actually, are you still chasing an answer re your Comcast setup, or have you co-located your server ?
-
Yes, I am still trying to work out Comcast. I just lost my job yesterday, so I am trying to save some $$.
I am leaving for vacation tonight (scheduled before my layoff)(Bastards told me, have fun on your vacation, by the way, here is your last paycheck)
So I will answer all the questions when I return in a little over a week.
-
If you post answers to the questions I posted above, there should be some clear conclusions.
-
One more aditional information.
This command: tcpdump -i eth0 -n tcp port 25
.. will show a listing of all packets as your server tries to send or receive mail.
This command togeteher with the commands mentioned above should give a reasonable clear picture of the network related problems.
To find a conclusion if two servers can comunicate and eventually which port they can comunicate on, is usually rather simple questions, with some clear conclusions, if the proper tools are used.
-
just a little thing i have been told that if you use tcpdump you should use a hub and not a switch and this i was told by a person who is very high network Architect
-
Of cource, if you do it (tcpdump) over network an on one other machine than the one you are trobleshooting.
In this case this wil propably not be the situation.
If you do it (tcpdump) on the server you are trobleshooting, then the switch/hub problem will not exist. Anyone can send a mail via webmail, and run " tcpdump -i eth0 -n tcp port 25 " and see a printout of the packet traffic. This is supported by the sme server as default.
-
First....ISP's typically do not block port 25....they filter port 25.
With that said, one might surmise the solution.
server-manager > email > Change e-mail delivery settings > SMTP server
Although the instructions leave something to be desired, never the less read and understand the instructions.
SMTP server
The server can deliver outgoing messages directly to their destination (recommended in most cases) or can
deliver them via your Internet provider's SMTP server (recommended if you have an unreliable Internet connection
or are using a residential Internet service). If using your Internet provider's SMTP server, specify its
hostname or IP address below. Otherwise leave this field blank.
If your ISP requires Authentication to send mail (all do) use your ISP mail server here with password for any email
account you have setup with them per the instructions above.
i.e. smtp-mail.comcast.com
&
any user & password email account setup on their system for Authentication.
User and password will only be used for authentication of smtp port 25 usage.
SME can then use the port authenticated by that user and all mail from yourmailserver FQDN on SME will be sent on port 25 SMTP.
Keep in mind that any user/system that uses an ISP's smtp port 25 must be authenticated.
Any ISP smtp usage that is not authenticated via a valid user/password is BLOCKED.
So what most think is a port block is actually a authentication block.
MX record should point to yourmailserver FQDN on SME, not your ISP's mail pop3 server.
Your ISP does not block or filter pop3 port 110.
Well they may have a AV or spam blocker running on it.... possibly.
What that means is you can receive all the email you want, to yourmailserver FQDN on your SME.
i.e. mail.mySMEserver.xxx
Sending smtp is filtered, most all ISP's filter port 25 even on a business account.
With a business account you have to provide them with your yourmailserver FQDN and it will be filtered based on that.
Your client mail would use yourmailserver FQDN for send and receive and SME would need
to be within local access to clients.
Client config...
pop
mail.mySMEserver.xxx
smtp
mail.mySMEserver.xxx
If an ISP blocks smtp port 25 then you cannot send via their mail.ISPserver.xxx or any other server.
Another way of saying that is, your ISP is not providing any email service/accounts.
If they provide email accounts to you, you are filtered, not blocked.
Blocked = nothing can use the port.
Filtered = something (not everything) can use the port.
It is not advised to run e-mail servers on a dynamic IP number.
Cable providers typically have lease times greater then 10 min, so a cable modem can
be offline for up to 10 min's and it should maintain the same IP.
Simple testing is to power the modem down for 10, 20 & 30 min's and check to see if IP is renewed.
Even with a static IP your mail server could be down and all email's that would have been received
would be lost, returned to sender as undeliverable.
Therefore it's advised to have a MX backup, which easydns provides with it's DNS service.
Without easydns MX backup you would need another email server added to the MX record for backup.
In this case I consulted with the techs at easydns and modified my MX records to direct incoming mail to my home server on port 587.
That only needs to be done if you circumvent port 25 smtp.
If you follow the instructions above you shouldn't have to circumvent port 25 smtp.
If you then have a easydns MX backup on their server, you simply manually request the backup when
your mail server is back in service and back up emails will be sent.
Port Forwarding PF
1 - SME server/gateway > directly connected to internet - no PF needed (default SME)
2 - SME server/gateway > separate firewall DMZ connect to internet - PF 25 & 110 on firewall
3 - SME server only mode > separate firewall DMZ connect to internet - PF 25 & 110 on firewall
4 - SME server only mode > separate firewall LAN connect to internet - PF 25 & 110 on firewall
HTH
-
Increasingly, these days, ISPs and others will not permit any SMTP access from machines with dynamic IP addresses, so running your own SMTP server will still not work unless you have a static IP address. Loa PowerTools, [REMOVE SHAMELESS PLUG] offers a service to overcome this problem.
[REMOVE SHAMELESS PLUG]
-
Increasingly, these days, ISPs and others will not permit any SMTP access from machines with dynamic IP addresses ...
Really? Can you provide evidence to support your assertion? Which ISPs don't provide an SMTP server which can be used by their customers?
-
ksg
I have been running a mail and web server using sme and using a dynamic IP connection with my ISP for a couple of years without any problem.
It depends on the policy of the ISP. Just don't use one who does not provide all services, and the one I'm using is both cheap & reliable.
Choose ISP's wisely and shop around first.
There are workarounds (for sme) for situations where ISP's do limit port 25 access.
-
Really? Can you provide evidence to support your assertion? Which ISPs don't provide an SMTP server which can be used by their customers?
Verizon wireless does not. I know this personally since I set my mother up with them (Verizon WLAN card built into the laptop).
I guess they expect users of cellular wireless lan cards to be businesses that have their own mail server. She just happens to be in a location where their isn't any wired high speed ISPs available and this was cheaper than HughesNet.
-
Well, among many, many others:
http://www.ic.gc.ca/epic/site/ecic-ceac.nsf/en/gv00329e.html (http://www.ic.gc.ca/epic/site/ecic-ceac.nsf/en/gv00329e.html):
Stopping Spam: Creating a Stronger, Safer Internet
Report of the Task Force on Spam
May 2005
Recommended Best Practices for Internet Service Providers and Other Network Operators
.....
2. ISPs and other network operators should limit, by default, the use of port 25 by end-users. If necessary, the ability to send or receive mail over port 25 should be restricted to hosts on the provider's network. Use of port 25 by end-users should be permitted on an as-needed basis, or as set out in the provider's end-user agreement / terms of service.
Most ISPs and other network operators agree that there is no practical reason for dial-up / dynamic IP-address ranges to have email servers at the customer end.
There are a variety of ways to avoid this. Through their own network management, ISPs and other network operators can block the use of port 25 on an egress basis.
It has been the experience of members of the Working Group that blocking port 25 affects very few users, and that these users can usually be accommodated in other ways.
The benefits of blocking port 25 are frequently dramatic — some ISPs have seen a 95-percent drop in virus emissions, a 98-percent drop in abuse reports, a reduction in internal viruses / compromised machines used to send spam and attendant cost savings in abuse-related network management.
and
http://www.infoworld.com/article/08/06/26/Antispam_group_outlines_defenses_to_block_botnet_spam-IDGNS_1.html (http://www.infoworld.com/article/08/06/26/Antispam_group_outlines_defenses_to_block_botnet_spam-IDGNS_1.html)
referencing:
http://www.maawg.org/news/maawg080625 (http://www.maawg.org/news/maawg080625)
Antispam group outlines ways to block spam from botnets
MAAWG recommends new best practices for ISPs to stop increasing volumes of spam
By Jeremy Kirk, IDG News Service
June 26, 2008
...
MAAWG's [the Messaging Anti-Abuse Working Group] primary suggestion for ISPs is to block all machines on dynamic IP addresses that are sending e-mail on port 25 outside their own network unless there are special, legitimate circumstances. The idea has been "very central" to antispam fighters, Cox said.
etc. etc.
-
I know at least one ISP that does that control of outgoing port 25 traffic by monitoring the users traffic, and if the traffic is detected to be "unnormal" the port 25 is closed. The reason I know this is because I have helped a number of people to get their lines opened again after it has been blocked after detection of outgoing spam. The explanation from the ISP has been that there had been a spam detection and that the line would be opened again on port 25 direction out if the spam source has been removed.
By the way if port 25 should be closed, tunneling to some endpoint behind the blocking should work. (But ofcource the capacity will be less.)
-
"I know at least one ISP that does control of outgoing port 25 traffic by monitoring the users traffic"
(true but vague)
emails sent in a given time period trap (trap.. not filter)
(I've seen 50 per minute and 10 per second.... ouch)
Spam engines can send a 1000 email in a few seconds.
If you trigger that trap, they will block port 25 and you have to prove your not running a
spam engine and/or infected with a virus.
Notice I said "you have to prove your not running a spam engine"
Don't say I turned off the email server or I can't send email's from my email server....da...!! :shock:
Tell them you found the virus and fixed it. 8-)
Then they can enable 25 in a heartbeat. :-P
There is no way your ISP can tell if emails are from a client or a server from the emails themselves. (true)
That's why they use a Counter/Time period trap. 8)
Most ISP have the trap because they want and you want them to stop the spammer's.
So why not work with them.!!
There's no reason to be angry with them for using the trap, their doing the right thing, protecting the internet.
They really don't care if you run a email server that doesn't effect their system or customers.
They just want to stop irresponsible asshole spammers.
And they need everyone's help..!!
So everyone needs to be a responsible residential IT and help them, buy setting things up properly.
BTW they also run the trap on Business accounts...you can bet on it..!!
So those accounts are a bit more difficult to get turned back on if you trigger the the trap.
Residential accounts they first assume you have a virus.
Business accounts they assume you are a spammer first.
-
.. So for reasonable and proper use, port 25 is actually "open" (in the meaning "can be used"), on most internet connection lines, when it comes to the situation for the outbound traffic. For the inbound traffick the situation might be a bit more "variated".
"There is no way your ISP can tell if emails are from a client or a server from the emails themselves. (true)"
.. And because of this a program like Microsoft Outlook would stop working when conected to an other mail server than your isp's, if port 25 were "blocked" (in the meaning the internet connection line will not transport datas for the customer). I believe that it is not likely to belive that most ISP's will prevent MS Outlook to do it's standard job.
Because of this the SME home server will normally also have an open connection out, as long as the internet connection is used in a proper and reasonable way. (But many providers filters/block the port 25 connection in traffic direction inbound. The only practical way to solve this is to have an external mail server that can receive the mail traffic and resend it on an alternatvive open port in the trafic direction inbound to the server.)
A "standard scenario" will be to find that there is an open connection for outbound traffic, while it might be blocked for port 25 inbound traffic direction.
Then next step will then be to find an alternative open port for the inbound traffic, and then to find a way to set up an external server to resend via this alernative port. By using the forwarding function of the sme server (on the server-manager panel) it can also receive mail on an alternative port.
Right ?!
(No, I does not have all the answers, and I just try to learn something new, and to understand things bether all the time.)
By the way these MX records these will have to do something with this situation "to redirect the mail traffic to an external mail server that can resend the traffic to your server on an alternative port". This last step I have actually never tried, but I guess it should work like this.
-
Really? Can you provide evidence to support your assertion? Which ISPs don't provide an SMTP server which can be used by their customers?
I don't mean to suggest that there aren't ISPs which block SMTP traffic into or out of their networks.
I was specifically responding to ksg's suggestion that you can't run a mail server on a dynamic IP because other mail server's won't accept mail from such dynamic IPs. The ISPs mail server can be/should be used as outbound SmartHost in those circumstances.
-
Verizon wireless does not. I know this personally since I set my mother up with them (Verizon WLAN card built into the laptop).
I guess they expect users of cellular wireless lan cards to be businesses that have their own mail server.
She just happens to be in a location where their isn't any wired high speed ISPs available and this was cheaper than HughesNet.
Just as a point of clarification, we're talking about a email server on a wired network.
Also Verizon does provide email accounts on a wireless broadband account.
To use a email client you have to authenticate to Verizon's Network and then authenticate to the email account.
Or use Verizon Webmail....your choice.
My buddy has Verizon Wireless and me was sending emails on his laptop via Outlook Depressed
at 75 mph, works a treat.
You could wire SME to the laptop and setup a wireless email server.
Bridge the wired nic to the wireless nic and wango tango...SME wireless email server.!!
For that matter you could VM and get it done, no wires.
-
I don't mean to suggest that there aren't ISPs which block SMTP traffic into or out of their networks.
Well if there are ISP's that block SMTP traffic then they can't provide user email accounts and that's
not much of a service selling point.
At this point no one has ever shown a ISP that doesn't provide at least 5 email accounts.
I'm sure there out there and I'm sure their client base is very small, I'm sure I won't use their service.
I was specifically responding to ksg's suggestion that you can't run a mail server on a dynamic IP because other mail server's won't accept mail from such dynamic IPs. The ISPs mail server can be/should be used as outbound SmartHost in those circumstances.
An email server doesn't care if the IP is static or dynamic, there's nothing in the data gram that would allow that to be disseminated as far as I know.
Although I understand it can be disseminated at the network level via the network config.
i.e. the provider knows via network config that the IP is dynamic and delegates that to the email server.
can't run a mail server on a dynamic IP because other mail server's won't accept mail from such dynamic IPs
I've never seen any evidence to that effect.
I would think if the ISP mail server won't accept mail from such dynamic IPs of a server
how can it disseminate from such dynamic IPs as client email.
Again I would think that would need to be in the data gram for it to work universally over the internet.
As you can see Charlie I'm having a bit of a problem with this, so feel free to smack me my friend. :-P
-
Some yesrs ago it was quite much discussions about mail server black lists and in this discussion the option of excluding all mail servers on dynamic ip adresses were mentioned. In this period my mail server with dynamic ip were actually blocked by a few mail servers. (But it was quite few, so it was not really a problem.)
Excample of blacklisting: http://www.mxtoolbox.com/blacklists.aspx
To discriminate or block traffic from mail servers on dynamic ip's is very easy, Dynamic ip's is running on ip series that is reserved for this use, so any firewall in front of or as a part of the mail server can easily filter out traffic from dynmaic ip mailservers, if they or we want to.
-
To find out if port 25 is blocked for inbound and outbound traffic, and if there is some alternative ports to use, that should be only a 2 minutes job, and a few basic commands. It is mentioned somewhere above what theses commands are. Doing those cammand on this particular server and posting the output here will give a 100 % conclusion, about the situation for this particular server.
I wonder if Ted will remeber to do these tests, and do the posting, so he will get his final result for what is actually open and what is actually closed, the situation for his data connection and his server.
When the data communication part of the storry has an end, (as it can have after two minutes tests) then the next step will be to look into the server related problems of how to use the ports that is actually open, for inbound and outbound traffic.
Step one: Doing basic commands for checking for open ports for inbound and outbound traffic (and posting result here), will it be done ?
(Or for the outgoing connection the most easy first step might be just to set up the server, post a mail to a gmail account and eventually post the output of the mail server log here, if it dies not come trougn.)
-
I have been running a mail and web server using sme and using a dynamic IP connection with my ISP for a couple of years without any problem.
Of course in this situtation I configure the sme server to send mail via my ISP's smtp server.
If I did not do that then all mail from me to other domains cannot be delivered as it gets blocked/filtered due to my dynamic IP block/range being included on RBL's as a potential spam source.
By using my ISP's smtp server, the sending IP has the "good" reputation of my ISP and hopefully/usually is not blocked/listed by spam filters/RBL's.
-
Tried one other funny way to check if port 25 (and other tcp ports) is open in the direction for outbound traffic:
I downloaded and installed Slax (Linux) on a USB memory stick. http://www.slax.org/
Then added two extra modules, telnet and nmap, rebooted PC and tested connection from this wireless spot:
root@slax:~#
root@slax:~# nmap -PN -p 25 contribs.org
Starting Nmap 4.60 ( http://nmap.org ) at 2008-08-09 18:06 GMT
Interesting ports on contribs.org (75.146.90.141):
PORT STATE SERVICE
25/tcp open smtp
Nmap done: 1 IP address (1 host up) scanned in 0.539 seconds
root@slax:~#
root@slax:~# telnet contribs.org 25
Trying 75.146.90.141...
Connected to contribs.org.
Escape character is '^]'.
220 mail.contribs.org ESMTP Postfix
quit
221 2.0.0 Bye
Connection closed by foreign host.
root@slax:~#
Clearly shows that it is open from here.
Also worked and shows I am behind a router with an internal and an external ip address:
root@slax:~# traceroute contribs.org
traceroute to contribs.org (75.146.90.141), 30 hops max, 38 byte packets
1 192.168.1.1 (192.168.1.1) 2.267 ms 2.601 ms 2.376 ms
2 119.42.x.x (119.42.x.x) 49.092 ms 51.223 ms 49.350 ms
3 61.7.x.x (61.7.x.x) 65.560 ms 49.588 ms 49.007 ms
4 202.47.x.x (202.47.x.x) 50.425 ms 58.601 ms 49.485 ms
And my Slax laptop has only one ethernet adapter that has an internal ip:
(So it can not be running in gateway mode, and obviosly there is an other nat router that will work like an inbound "firewall" and that will eventually need forwarding.)
root@slax:~# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
wlan0 Link encap:Ethernet HWaddr 00:13:04:11:d6:0a
inet addr:192.168.1.122 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10500 errors:0 dropped:0 overruns:0 frame:0
TX packets:8843 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:8068025 (7.6 MiB) TX bytes:1481701 (1.4 MiB)
By just adding nmap via Yum, the same commends should work on the sme server as well.
(And this should also be the required info about the outbound port 25 connection.)
-
.. And how to see if the line is open on port x in inbound traffic direction:
if command ifconfig and tracert telles you that you are behind a nat router, you will have to set up a port forwarding trough that router. (Eventually to localhost if the sme server is the gateway.)
Then you can run some server with a sshd or a web server. These two protocols/servers is quite easy and good to use for testing connections.
You must have some remote machine to perform the testing from to see your own server from the internet side.
The remote machine can be for instance a Linux machine, a sme server or something else or it can be a Windows machine located somewhere running logmein or some other remote control software. (VNC etc).
Example, it is a remote Linux machine:
Forward the port you like to test, lets say port 2525 to your local servers port 80.
Then log in via ssh and use the text based web browser lynx, on the remote Linux machine, to access your external ip adress on port 2525. If lynx has connection the port is open. (Yes lynx is a standard part of the sme distro.)
To forward port 2525 to port 22 and do a remote ssh login on external ip port 2525 is also an option.
If the temote machine used for testing from the outside is a windows machine, you can just forward port 2525 to server port 80 and go in from the remote windows web browser like this: http://<your external ip>:2525. If you can see your web server, the connection is open on port 2525 in inbound traffic direction.
There is actually no need to discuss at all if if a internet conection is open on some certain port, inbound or outbound direction, it is just to do some simple tests, and then you will know it for sure.
-
Arne
Here's a good place to start to understand things better http://en.wikipedia.org/wiki/Smtp (http://en.wikipedia.org/wiki/Smtp)
.. So for reasonable and proper use, port 25 is actually "open" (in the meaning "can be used"), on most internet connection lines, when it comes to the situation for the outbound traffic. For the inbound traffick the situation might be a bit more "variated".
Your outbound (send) Port 25 SMTP may be blocked or filtered by your ISP, your inbound (recieve) port 25 will not be blocked or filtered by your ISP.
Your ISP may AV scan or spam whitelist blacklist inbound (recieve) emails.
And because of this a program like Microsoft Outlook would stop working when conected to an other mail server than your isp's, if port 25 were "blocked" (in the meaning the internet connection line will not transport datas for the customer). I believe that it is not likely to belive that most ISP's will prevent MS Outlook to do it's standard job.
Outlook will work fine once you have your email server working.
Because of this the SME home server will normally also have an open connection out, as long as the internet connection is used in a proper and reasonable way.
Correct....
(No, I does not have all the answers, and I just try to learn something new, and to understand things bether all the time.)
A smart guy are you, well then here's a Question >> Why is the night sky dark.
Just so you know...nobody has answered it correctly yet. Clue >> five word answer.
By the way these MX records these will have to do something with this situation "to redirect the mail traffic to an external mail server that can resend the traffic to your server on an alternative port". This last step I have actually never tried, but I guess it should work like this.
This will help you to understand MX Records >> http://en.wikipedia.org/wiki/MX_Record (http://en.wikipedia.org/wiki/MX_Record)
-
But many providers filters/block the port 25 connection in traffic direction inbound.
Your question is not qualified, so a qualified answer can not be given.
This is one of the reasons why there is so much disinformation within the IT universe.
As an IT tech it is important to always maintain a perspective from where you are looking.
To complicate the perspective further, one must maintain both a logical and a physical perspective.
Here's an example.
When I look over the fence I see the horizon.
From that unqualified statement no one can give a qualified answer as to what horizon is being seen.
To qualify the statement further....
The fence runs North to South and When I look over the fence I see the horizon.
Still a qualified answer cannot be given because we don't know which side of the fence one is standing
and thus the perspective.
To again qualify further
The fence runs North to South and I am standing on the west side of the fence looking east and When I look over the fence I see the horizon.
That is a fully qualified statement and one can now disseminate a qualified answer as to what horizon is seen.
The sunrise horizon is the qualified answer.
To qualify the statement to enable a qualified answer, the statement would need to be...
But many providers filters/block the port 25 connection in traffic direction inbound to my server.
or
But many providers filters/block the port 25 connection in traffic direction inbound to my ISP's server.
Both statements will yield a distinctly different qualified response statement.
Data flow within a network is direction dependent.
Although you did qualify the direction you did not qualify your perspective, thus a qualified answer cannot be given.
Any answer statement at this point has a 50/50 chance of being misleading/incorrect.
So it is very important to maintain an awareness of perspective and be accurate in any descriptive statement and/or query statement.
HTH enjoy...
-
Well - "Email dead in the water." - Why is it like that ?
To check for open ports and connection, and to set up a basic mail server that is something that anyone can do.
At least I can not remeber one time it did not work for the last five years.
This will be like the theory about riding a bicycle. If you try to analyse it using vectors and mathematical tools, bicycling is allmost imposible. If you just do it,it works. After ten years of bicycling you just don't vorry to much about the theory.
But - I have not tried to set up a working mail server behind a firewall or a dataconnection that is comfimed to be blocked on port 25. This would be intersting to try to do or to participate in. First it should be tested out what ports is open and which is not. if log show traffic from a to b, then the connection is open.
-
To check out which ports that is open for inbound and outbound traffic, should be something very basic and it should not be any problems in that at all. I have used the same simple Linux commands for approx ten years, and I can not remember any case that the methods did not work or gave incorrect ressults.
So then when it is stated which ports that is available, it should be just a question of how to use the ports that is available. There will allmost be some that can be used. I can see that there is some commersial vendors that does the resending on an alternative port for a small fee. (Don't know if there is free services that can do the same.)
http://www.rollernet.us/services.php (Have not tried this at all.)
"Email dead in the water." - But it should not be any good reasons for that. This tread should have an easy answer, if just the ownet of the tread are willing to do what should be done to solve this problem..
-
Super-Scan 3
Super-Scan4 is SS3 with a lot of features stripped out for good reason.
SS3 is very reliable scanner, it has never given a faulty scan.
SS3 is very difficult to find on the net and I cannot post a download link to it...sorry.
Be aware most SS3 d/l links will d/l SS4.
Warning: If you find it, use it very wisely.
-
it was easy to find first thing that came up in goggle Super-Scan 3 not a bad little program at all
http://www.foundstone.com/us/resources/proddesc/superscan3.htm
-
Superscan has been one of my basic Windows tools since it were released from Foundstone.
It use to be included on the CD included with the Foundstone book "Hacking Exposed".
I have used to buy all revisions of this book, over the years, as it have been reviced.
Some of the methods I have described above (if not actually all) to check if ports is open for traffic etc is described in this book "Hacking Exposed".
I agree that Superscan 3 is very easy and quick to use. On the other hand I think that nmap of Linux has more advanced tools and is more flexible. But it is more difficult to use and it require a bit more training and understanding than Superscan 3.
By the way, I think I have found the simplest of all simple methods to find out if the port 25 is open in the traffic direction for outbound traffic. (I did not know it, but I found it when googling.)
From the dos shell in Windows XP (!!), type the following command:
" telnet contribs.org 25 "
If the port 25 is open for traffic out, the mail server of contribs org will answer:
220 mail.contribs.org ESMTP Postfix
If one go to the Chapter about mailservers in the book "Hacking Exposed", I think this method of checking for an open connection and to probe a mailserver is described there. (But I can not rember they mentioned that it could be done in Windows/dos also, I think they only mentioned Linux)
To check if ports is open for traffic out or in should be something very simple and basic, and something one should do quite early and easy.
But if they are closed, I have to admit I don't know what to do. That's another discussion. In the real cases I have had, I have until now just called the ISP and explained the situation, and they have opened for port 25.
I just also tested Superscan 3 at contribs.org port 25, and it just showed the same responce:
220 mail.contribs.org ESMTP Postfix
By the way, Superscan 3 is a much more primitive tool than nmap. They can hardly be compared at all. But it is quite easy to use. Is Superscan 4 a stripped down version of Superscan 3 ? It is some years seence I tested Superscan 4 but it was not my impression at that time. I still use Superscan 3 as a tool when I want a portscanner of the type "one click and no thinking". One thing it is very good at is actually questions of the type: "give me all mail servers in ip range .."
-
This topic has gone off topic (a while ago during thread) as it's now general talk about port 25. Locking thread.