backing up a bit in the conversation, perhaps this is just in some regions of comcastlandia? I don't see this in Northern Virginia...
$ openssl s_client -starttls smtp -connect my-mailserver.net:587 CONNECTED(00000003) depth=0 description = kVjtrCL8rUdvd00q, C = US, CN = my-mailserver.net, emailAddress = my-emailaddrss.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 description = kVjtrCL8rUdvd00q, C = US, CN = my-mailsever.net, emailAddress = my-emailaddress.com verify error:num=27:certificate not trusted verify return:1 depth=0 description = kVjtrCL8rUdvd00q, C = US, CN = my-mailserver.net, emailAddress = my-emailaddress.com verify error:num=21:unable to verify the first certificate verify return:1 ... Certificate chain 0 s:/description=kVjtrCL8rUdvd00q/C=US/CN=my-mailserver.net/emailAddress=y-emailaddress.com i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA ... New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: FC3E47AF2A2A96BF6DE6E11F96B02A0C41A6542864271F2901F09594DE9A48FA Session-ID-ctx: Master-Key: BE7FB76EF5C0A9BA507B175026F73E67080D6442201FDF28F536FA38197A9B1353D644EEAF8D0D264328F94B2EF5742C Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1417286582 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- 250 DSN ehlo me 250-my-mailserver.net 250-PIPELINING On Sat, Nov 29, 2014 at 12:26 PM, Jean-Francois Mezei <jfmezei_na...@vaxination.ca> wrote: > On 14-11-29 11:07, Sander Steffann wrote: > >> I am so glad that our Dutch net neutrality laws state that "providers of >> Internet access services may not hinder or delay any services or >> applications on the Internet" (unless [...], but those exceptions make sense) > > > However, in the case of SMTP, due to the amount of spam, most ISPs break > "network neutrality" by blocking outbound port 25 for instance, and > their SMTP servers will block much incoming emails (spam). However, > SMTP is a layer or two above the network. But blocking port 25 is at the > network level. > > I have seen wi-fi systems where you ask to connect to 20.21.22.23 port > 25, and you get connected to 50.51.52.53 port 25. (the ISPs own SMTP > server). I would rather they just block it than redirect you without > warning to an SMTP server of their own where they can look and your > outbound email, pretend to acccept it, and never deliver it. > > >