Re: Comcast blocking port 25? (not what you think)
On Mon, May 10, 2004 at 06:47:42AM -0400, Travis Roy wrote: This isn't about Comcast blocking port 25 to prevent you from running a server.. Recently my parents (that use Comcast) can no longer connect to port 25 of my server.. one that is legit, has correct reverse and MX records. Has anybody else seen this? Can anybody suggest a workaround. Might be a local thing. I was able to hit scootz.net, port 25. I've had problems before with remote hosts not accepting connections from my machine because I'm in comcast's DHCP pool. AOL and TWC caused big problems. I got around the issue by smarthosting to smtp.comcast.net. You may want to have your parents try the same thing. -Mark signature.asc Description: Digital signature
Re: Comcast blocking port 25? (not what you think)
Mark Komarinski wrote: On Mon, May 10, 2004 at 06:47:42AM -0400, Travis Roy wrote: This isn't about Comcast blocking port 25 to prevent you from running a server.. Recently my parents (that use Comcast) can no longer connect to port 25 of my server.. one that is legit, has correct reverse and MX records. Has anybody else seen this? Can anybody suggest a workaround. Might be a local thing. I was able to hit scootz.net, port 25. I've had problems before with remote hosts not accepting connections from my machine because I'm in comcast's DHCP pool. AOL and TWC caused big problems. I got around the issue by smarthosting to smtp.comcast.net. You may want to have your parents try the same thing. My parents use outlook and connect to my server. I allow the connection. They don't run a server. I just had another friend try to connect and he got thru also. Might be a local thing. I had a friend that got his port 80 blocked (during that big code red thing) and they never unblocked it on his segment. He called and called but they refused to unblock it for him yet everybody else was unblocked. ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
This isn't about Comcast blocking port 25 to prevent you from running a server.. Recently my parents (that use Comcast) can no longer connect to port 25 of my server.. one that is legit, has correct reverse and MX records. Has anybody else seen this? Damn, looks like mine is blocked too. *sigh* I run a mail server so I don't have to worry about comcast's incoming email limits on attachments, mailbox size, etc. Or comcast outages. Can anybody suggest a workaround. Run the mail server on a different port redirect. *sigh* There are some services that will do this. i'm looking them up right now. ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
Travis Roy wrote: This isn't about Comcast blocking port 25 to prevent you from running a server.. Recently my parents (that use Comcast) can no longer connect to port 25 of my server.. one that is legit, has correct reverse and MX records. Has anybody else seen this? I've heard rumors of it, but have never seen it yet. The concept, of course, being egress filtering to block the spread of viruses/worms that send their own emails. As I know a lot of businesses use authenticated SMTP to allow workers to email from home, but still pass it through the company's mail servers (for various purposes), this will cause some grief if it becomes common. I have a couple whose CEOs would go ballistic if it happens to their Comcast connections. (I'll pre-explain it to them so Comcast takes the brunt, rather than us., FWIW.) Thanks for the heads up that this may be coming a reality. Is your parents' physical location local to NH? Can anybody suggest a workaround. Configure your email server to listen on an alternate port. Configure their email clients to send on the alternate port. For example, I've used port 8025. In Postfix I add a line to master.cf: your.ip.number:8025 inetn - y - - smtpd Model it after your standard smtp listener: smtpinetn - y - - smtpd Sendmail, Exim, Qmail, etc. and email client configuration is left as an exercise for the reader. ;-) -- Dan Jenkins ([EMAIL PROTECTED]) Rastech Inc., Bedford, NH, USA --- 1-603-624-7272 *** Technical Support for over a Quarter Century ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
Can anybody suggest a workaround. Run the mail server on a different port redirect. *sigh* There are some services that will do this. i'm looking them up right now. http://www.dyndns.org/services/mailhop/relay.html is one ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
On Mon, May 10, 2004 at 09:45:05AM -0400, Travis Roy wrote: My parents use outlook and connect to my server. I allow the connection. They don't run a server. I just had another friend try to connect and he got thru also. Might be a local thing. I had a friend that got his port 80 blocked (during that big code red thing) and they never unblocked it on his segment. He called and called but they refused to unblock it for him yet everybody else was unblocked. Trav - acces to p 25 on scootz.net looks just fine from here telnetting from kinz.org (DHCP pool on comcast) to port 25 worked just fine Also - telnetting in from a static IP in CT on SBC to port 25 worked as well. telnet scootz.net 25 Trying 69.84.130.26... Connected to scootz.net. Escape character is '^]'. 220 scootz.net ESMTP Sendmail 8.12.8/8.12.8; Mon, 10 May 2004 09:54:22 -0400 quit 221 2.0.0 scootz.net closing connection Connection closed by foreign host. // traceroute from SBC location: traceroute scootz.net traceroute to scootz.net (69.84.130.26), 30 hops max, 38 byte packets 1 192.168.5.1 (192.168.5.1) 1.153 ms 1.060 ms 0.999 ms 2 bras1-l0.mrdnct.snet.net (204.60.4.34) 27.659 ms 15.924 ms 18.960 ms 3 dist2-vlan60.mrdnct.sbcglobal.net (66.159.184.227) 22.440 ms 21.193 ms 19.895 ms 4 bb1-g6-0.mrdnct.sbcglobal.net (66.159.184.115) 21.502 ms 19.073 ms 16.356 ms 5 bb1-p9-0.nycmny.sbcglobal.net (151.164.241.69) 25.925 ms 22.940 ms 22.147 ms 6 bb1-p9-0.pxnyny.sbcglobal.net (151.164.189.62) 26.375 ms 21.271 ms 21.194 ms 7 asn3561-cwusa.pxnyny.sbcglobal.net (151.164.248.82) 24.945 ms 22.940 ms 22.298 ms 8 agr3-loopback.NewYork.savvis.net (206.24.194.103) 25.831 ms agr4-loopback.NewYork.savvis.net (206.24.194.104) 22.397 ms 21.820 ms 9 dcr1-so-6-2-0.NewYork.savvis.net (206.24.207.57) 24.906 ms dcr2-so-7-3-0.NewYork.savvis.net (206.24.207.205) 22.378 ms dcr2-so-6-2-0.NewYork.savvis.net (206.24.207.185) 21.624 ms 10 acr1-loopback.Boston.savvis.net (208.172.50.61) 31.494 ms 30.481 ms 27.112 ms 11 208.172.51.54 (208.172.51.54) 48.265 ms 47.336 ms 42.689 ms 12 internap.Boston.savvis.net (208.172.49.138) 36.530 ms 33.408 ms 33.190 ms 13 border3.ge0-0-bbnet1.bsn.pnap.net (63.251.128.7) 35.139 ms 35.159 ms 33.096 ms 14 dreamcom-2.border3.bsn.pnap.net (66.151.179.102) 37.016 ms 33.538 ms 34.566 ms 15 66.151.189.2-rev.colospace.com (66.151.189.2) 125.296 ms 128.668 ms 139.889 ms 16 man-colo-core-02-s1-1-0.man.colospace.net (63.251.138.250) 39.467 ms 38.094 ms 35.867 ms 17 scootz.net (69.84.130.26) 39.259 ms 33.721 ms 33.491 ms -- Jeff Kinz, Open-PC, Emergent Research, Hudson, MA. [EMAIL PROTECTED] is copyright 2003. Use is restricted. Any use is an acceptance of the offer at http://www.kinz.org/policy.html. ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
They might be blocked by an outgoing filter too. I just found that my work does that. zonedit.com has an smtp test that gets to my server Yah, but it would have to be comcast's filter. Since my parents don't have any filter. You could try tricks with netcat or iptables to redirect on your local machine. Or an ssh tunnel. Yah, that's what I'm going to have to do.. BLAH.. stupid comcast. ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
On Mon, 10 May 2004, at 6:47am, [EMAIL PROTECTED] wrote: Recently my parents (that use Comcast) can no longer connect to port 25 of my server.. one that is legit, has correct reverse and MX records. Has anybody else seen this? More and more ISPs are blocking port 25 outbound on consumer feeds to fight spam. I'm pretty sure that's what you're seeing. You have two options: (1) Configure their system to relay through Comcast's SMTP relay when on Comcast's network, or (2) use an alternate means of submission. An alternate means of submission might mean adding an additional SMTP listener on a non-standard port; using an MSA (Mail Submission Agent); using a tunnel of some kind (such as with SSH or IPsec). -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
On Mon, 10 May 2004, at 10:25am, [EMAIL PROTECTED] wrote: Yah, that's what I'm going to have to do.. BLAH.. stupid comcast. Get used to it. More and more ISPs are adding this. And I cannot say I entirely disagree with the policy. -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
On Monday, May 10th 2004 at 06:47 -0400, quoth Travis Roy: =This isn't about Comcast blocking port 25 to prevent you from running a =server.. = =Recently my parents (that use Comcast) can no longer connect to port 25 =of my server.. one that is legit, has correct reverse and MX records. = =Has anybody else seen this? = =Can anybody suggest a workaround. This is no help for your problem, but I'll tell you what happened to me. I'm in Framingham and I have a choice (currently) between RCN and comcast. I'm with RCN but a while ago they shut off incoming port 80. Later on they shut off outgoing port 25. For the princely sum of only $240/year, I get the honor and priviledge of having those ports opened up. And I'm guaranteed that my IP address won't change. Ever. -- Time flies like the wind. Fruit flies like a banana. Stranger things have .0. happened but none stranger than this. Does your driver's license say Organ ..0 Donor?Black holes are where God divided by zero. Listen to me! We are all- 000 individuals! What if this weren't a hypothetical question? steveo at syslang.net ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
Steven W. Orr wrote: On Monday, May 10th 2004 at 06:47 -0400, quoth Travis Roy: =This isn't about Comcast blocking port 25 to prevent you from running a =server.. = =Recently my parents (that use Comcast) can no longer connect to port 25 =of my server.. one that is legit, has correct reverse and MX records. = =Has anybody else seen this? = =Can anybody suggest a workaround. This is no help for your problem, but I'll tell you what happened to me. I'm in Framingham and I have a choice (currently) between RCN and comcast. I'm with RCN but a while ago they shut off incoming port 80. Later on they shut off outgoing port 25. For the princely sum of only $240/year, I get the honor and priviledge of having those ports opened up. And I'm guaranteed that my IP address won't change. Ever. Yah, my parents won't go for that.. They're to far away for DSL too, plus they get comcast TV/Phone/Net service for the bulk discount. They (being just end users) of course see it as something on my end, even after explaining it 20 times.. I just find it stupid that they would do something like this. It's one thing to block port 80 since running a webserver is against the AUP/TOS, but to block access to an outside mail server smells of crushing the competition and limiting choice. ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
[EMAIL PROTECTED] wrote: On Mon, 10 May 2004, at 10:25am, [EMAIL PROTECTED] wrote: Yah, that's what I'm going to have to do.. BLAH.. stupid comcast. Get used to it. More and more ISPs are adding this. And I cannot say I entirely disagree with the policy. Why? They are blocking access to an outside mail server, one that is legit, it has a static IP, it has proper reverse DNS and MX records. My parents are not running a mail server.. What next? block access to hotmail? ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
Hmmm - seems like every month or so my wife complains about my speakeasy.net account... Why do we have to pay 60+ dollars for DSL when Mary down the street has ComCast and gets higher speed internet access for less money...? My response to her follows to the tune of: Because I want my (2) dedicated IP's and I don't want ComCast (or Verizon's) crap about supported Operating Systems and server restrictions. You want Comblast fine, but I am not giving up my Speakeasy service and I am *NOT* supporting anything other than the Speakeasy service... (And as I had to bail out Mary several times in the past when she was unable to get any decent help through the tech support line, my wife has always backed off... ;) dlr On Mon, 10 May 2004, Steven W. Orr stated in their Email: Steve From: Steven W. Orr [EMAIL PROTECTED] Steve To: Travis Roy [EMAIL PROTECTED] Steve Cc: GNHLUG [EMAIL PROTECTED] Steve Date: Mon, 10 May 2004 10:35:47 -0400 (EDT) Steve Subject: Re: Comcast blocking port 25? (not what you think) Steve Steve On Monday, May 10th 2004 at 06:47 -0400, quoth Travis Roy: Steve Steve =This isn't about Comcast blocking port 25 to prevent you from running a Steve =server.. Steve = Steve =Recently my parents (that use Comcast) can no longer connect to port 25 Steve =of my server.. one that is legit, has correct reverse and MX records. Steve = Steve =Has anybody else seen this? Steve = Steve =Can anybody suggest a workaround. Steve Steve This is no help for your problem, but I'll tell you what happened to me. Steve Steve I'm in Framingham and I have a choice (currently) between RCN and comcast. Steve Steve I'm with RCN but a while ago they shut off incoming port 80. Later on they Steve shut off outgoing port 25. For the princely sum of only $240/year, I get Steve the honor and priviledge of having those ports opened up. And I'm Steve guaranteed that my IP address won't change. Ever. Steve Steve -- I have strong opinions and not all may match my employers, so the usual blurb applies... ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
On Monday, May 10th 2004 at 10:52 -0400, quoth Travis Roy: =Steven W. Orr wrote: = =I just find it stupid that they would do something like this. It's one =thing to block port 80 since running a webserver is against the AUP/TOS, =but to block access to an outside mail server smells of crushing the =competition and limiting choice. It's actually worse than that. There are a number of domains that will not accept any email from me if it's delivered directly to them. This is the result of RBLs discriminating via dynamic IP address pools. The solution is to add yet more and more entries into my mailertable file in sendmail. I admit that I was certainly peeved when I was blocked from sending any email to Red Hat lists. I needed redhat.com esmtp:smtp.mail.rcn.net to fix it. :-( You'd think that if anyone would allow reception from a dynamic address they would. -- Time flies like the wind. Fruit flies like a banana. Stranger things have .0. happened but none stranger than this. Does your driver's license say Organ ..0 Donor?Black holes are where God divided by zero. Listen to me! We are all- 000 individuals! What if this weren't a hypothetical question? steveo at syslang.net ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
On Mon, 10 May 2004, at 10:53am, [EMAIL PROTECTED] wrote: Yah, that's what I'm going to have to do.. BLAH.. stupid comcast. Get used to it. More and more ISPs are adding this. And I cannot say I entirely disagree with the policy. Why? Mail abuse. A great deal of spam and other mail abuse comes from computers on consumer feeds that are incorrectly configured as a mail relay (don't ask me how, but it happens more often then you would think), or have been compromised by some kind of malware and are being used as same. At the same time, SMTP was designed to move mail between static, well-connected systems. Hosts on dynamic, consumer feeds do not meet that definition. It makes more sense for such hosts to submit mail to a smart host which can do the job right. Of course, then you have to deal with the fact that a great many MUAs are incapable of doing anything themselves, and need to be able to submit mail to an SMTP-like listener. That is why the concept of an MSA (Mail Submission Agent) was created. The idea is to separate mail submission from mail exchange. -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
On Mon, 2004-05-10 at 10:52, Travis Roy wrote: I just find it stupid that they would do something like this. It's one thing to block port 80 since running a webserver is against the AUP/TOS, but to block access to an outside mail server smells of crushing the competition and limiting choice. No more stupid than people writing viruses and spam. Anyone running an SMTP or web server on comcast is violating the TOS. All comcast is doing is shutting down these rogue servers to prevent them from being used for relaying spam and/or virus/worm propogation. Of course, one can always give up on computers and become a farmer ;-) --Bruce signature.asc Description: This is a digitally signed message part
Re: Comcast blocking port 25? (not what you think)
On Mon, 10 May 2004, at 11:04am, [EMAIL PROTECTED] wrote: The solution is to add yet more and more entries into my mailertable file in sendmail. Why don't you just relay everything through your ISP? -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
Bruce Dawson wrote: On Mon, 2004-05-10 at 10:52, Travis Roy wrote: I just find it stupid that they would do something like this. It's one thing to block port 80 since running a webserver is against the AUP/TOS, but to block access to an outside mail server smells of crushing the competition and limiting choice. No more stupid than people writing viruses and spam. Anyone running an SMTP or web server on comcast is violating the TOS. All comcast is doing is shutting down these rogue servers to prevent them from being used for relaying spam and/or virus/worm propogation. Of course, one can always give up on computers and become a farmer ;-) Okay.. for the -LAST TIME- my parents are -NOT- I repeat are -NOT- running any kind of sever at all, NONE! They are trying to connect to MY server that is NOT on the comcast network to send mail. ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
[EMAIL PROTECTED] wrote: On Mon, 10 May 2004, at 10:53am, [EMAIL PROTECTED] wrote: Yah, that's what I'm going to have to do.. BLAH.. stupid comcast. Get used to it. More and more ISPs are adding this. And I cannot say I entirely disagree with the policy. Why? Mail abuse. A great deal of spam and other mail abuse comes from computers on consumer feeds that are incorrectly configured as a mail relay (don't ask me how, but it happens more often then you would think), or have been compromised by some kind of malware and are being used as same. At the same time, SMTP was designed to move mail between static, well-connected systems. Hosts on dynamic, consumer feeds do not meet that definition. My parents are not running any kind of server. It makes more sense for such hosts to submit mail to a smart host which can do the job right. That is exactly what they are trying to do, send the mail to my server so I can do the job of dealing with their mail. ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
On Mon, 2004-05-10 at 10:35, Steven W. Orr wrote: And I'm guaranteed that my IP address won't change. Ever. Until, of course, it changes... I wouldn't give their guarantee too much faith... ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
On Mon, 2004-05-10 at 11:20, Travis Roy wrote: Okay.. for the -LAST TIME- my parents are -NOT- I repeat are -NOT- running any kind of sever at all, NONE! They are trying to connect to MY server that is NOT on the comcast network to send mail. (maybe it's already bee covered?) Why don't they just use Comcasts provided SMTP server? What is the real benefit of having them send through your server? ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
On Mon, 2004-05-10 at 11:20, Travis Roy wrote: Bruce Dawson wrote: On Mon, 2004-05-10 at 10:52, Travis Roy wrote: I just find it stupid that they would do something like this. It's one thing to block port 80 since running a webserver is against the AUP/TOS, but to block access to an outside mail server smells of crushing the competition and limiting choice. No more stupid than people writing viruses and spam. Anyone running an SMTP or web server on comcast is violating the TOS. All comcast is doing is shutting down these rogue servers to prevent them from being used for relaying spam and/or virus/worm propogation. Of course, one can always give up on computers and become a farmer ;-) Okay.. for the -LAST TIME- my parents are -NOT- I repeat are -NOT- running any kind of sever at all, NONE! You have made that abundantly clear in previous postings. They are trying to connect to MY server that is NOT on the comcast network to send mail. That was something I missed. Is your server listed on any blacklists? Also, you need to contact comcast and inform them that they are blocking your server from your clients. Although beware that they are slugged with this sasser virus, so your response won't be great. Just keep trying. Also, have your parents contact the town's aldermen/selectmen/... and indicate their displeasure with comcast. This doesn't have much immediate effect, but it means comcast will have an uphill battle when it comes time to renew their contract with the town. --Bruce signature.asc Description: This is a digitally signed message part
Re: Comcast blocking port 25? (not what you think)
Brian wrote: On Mon, 2004-05-10 at 11:20, Travis Roy wrote: Okay.. for the -LAST TIME- my parents are -NOT- I repeat are -NOT- running any kind of sever at all, NONE! They are trying to connect to MY server that is NOT on the comcast network to send mail. (maybe it's already bee covered?) Why don't they just use Comcasts provided SMTP server? What is the real benefit of having them send through your server? It's always been setup that way.. And I think the comcast server requires some kind of auth, and my parents never even setup a @comcast.net email address. ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
On Mon, May 10, 2004 at 06:47:42AM -0400, Travis Roy [EMAIL PROTECTED] wrote: This isn't about Comcast blocking port 25 to prevent you from running a server.. Recently my parents (that use Comcast) can no longer connect to port 25 of my server.. one that is legit, has correct reverse and MX records. Has anybody else seen this? Can anybody suggest a workaround. I ran into this when plugging my notebook computer into my parents' home network in Florida. They have cable modem service from Cox, I believe. Anyway, Cox was blocking outbound connections to port 25 on anything other than Cox's SMTP servers. Well, this being a notebook, I didn't want to have to require my wife (it's actually her notebook) to change the SMTP server whenever she traveled. The mail server we were trying to access is a dedicated server that I run, and it uses SMTP authentication in order to allow access from any IP address. Therefore, I was not concerned about security, but rather about generically working around outbound port 25 restrictions. My initial reaction was to use a one-line iptables command to redirect port 2525 to port 25 on my mail server, and then to point my wife's notebook to port 2525. This worked fine. The command I used was: /sbin/iptables --table nat --append PREROUTING --jump REDIRECT --proto tcp --dport 2525 --to-ports 25 However, recently I was reading about SPF and discovered MSA. Although MSA may optionally do more sophisticated things, in a limited format you can run a normal SMTP server implementing authentication on the MSA port (TCP port 587), and non-MSA aware programs like Outlook can use it as long as they implement SMTP authentication and can be redirected to a different port. ISPs typically don't block port 587 because (1) MSA is new and they probably may not be aware of it, and (2) MSA requires authentication, which probably eliminates the reasons they may have for blocking outbound port 25. To turn on MSA in sendmail, I simply commented out the no_default_msa in my sendmail.mc file. (Actually, for reasons unnecessary to get into here, I added the equivalent line O DaemonPortOptions=Port=587, Name=MSA, M=E to sendmail.cf directly). -- Bob Bell ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
On Mon, May 10, 2004 at 11:42:56AM -0400, Travis Roy wrote: Brian wrote: Why don't they just use Comcasts provided SMTP server? What is the real benefit of having them send through your server? It's always been setup that way.. And I think the comcast server requires some kind of auth, and my parents never even setup a @comcast.net email address. None of that is needed. I have my machine forwarding via smtp.comcast.com without authentication and it shows up as if coming directly from wayga.org. See the headers for more info. Just have them use smtp.comcast.net as their SMTP server, but leave the rest of the headers as-is. I have a slight concern that my e-mail is going through comcast, but then again, if I really want secure I can use GPG. -Mark signature.asc Description: Digital signature
Re: Comcast blocking port 25? (not what you think)
On Mon, 10 May 2004, Travis Roy wrote: I just find it stupid that they would do something like this. It's one thing to block port 80 since running a webserver is against the AUP/TOS, but to block access to an outside mail server smells of crushing the competition and limiting choice. I highly doubt that this has anything to do with that, and everything to do with an attempt to limit the ability of compromised Wintendo boxes to spew spam directly from their Comcast connection to MTAs the world over. By forcing their customers to pass all outbound mail via Comcast's own SMTP servers, they nip all of that unwanted behavior in the bud; it just happens to impact your (non-standard) arrangement as collateral damage. -- Bill Mullen [EMAIL PROTECTED] MA, USA RLU #270075 MDK 8.1 9.0 There are two kinds of people in the world, those who believe there are two kinds of people in the world and those who don't. - Robert Benchley ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
On Mon, 10 May 2004, Mark Komarinski wrote: On Mon, May 10, 2004 at 11:42:56AM -0400, Travis Roy wrote: Brian wrote: Why don't they just use Comcasts provided SMTP server? What is the real benefit of having them send through your server? It's always been setup that way.. And I think the comcast server requires some kind of auth, and my parents never even setup a @comcast.net email address. None of that is needed. I have my machine forwarding via smtp.comcast.com without authentication and it shows up as if coming directly from wayga.org. See the headers for more info. Just have them use smtp.comcast.net as their SMTP server, but leave the rest of the headers as-is. Seconded. I send through them all mail to sites that block me via an RBL, and don't have problems, even though the From: address is my own. I also do not use a Comcast address on this (or any other) mail. Their servers accept all mail that comes from any node within their network; all they monitor for, AIUI, is volume (to identify customers that are spammers). Your folks should be able to change their SMTP setting within Outbreak to smtp.comcast.net, and never notice any difference ... other than that their mail now goes out successfully, of course. ;) -- Bill Mullen [EMAIL PROTECTED] MA, USA RLU #270075 MDK 8.1 9.0 If I call a dog's tail a leg, how many legs does the dog have? Five? No, four, because calling a tail a leg does not make it a leg. - A. Lincoln ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Anti-spam methods (was: Re: Comcast blocking port 25? (not what you think))
On Mon, 2004-05-10 at 11:44, Bob Bell wrote: However, recently I was reading about SPF and discovered MSA. Although MSA may optionally do more sophisticated things, in a limited format you can run a normal SMTP server implementing authentication on the MSA port (TCP port 587), and non-MSA aware programs like Outlook can use it as long as they implement SMTP authentication and can be redirected to a different port. ISPs typically don't block port 587 because (1) MSA is new and they probably may not be aware of it, and (2) MSA requires authentication, which probably eliminates the reasons they may have for blocking outbound port 25. To turn on MSA in sendmail, I simply commented out the no_default_msa in my sendmail.mc file. (Actually, for reasons unnecessary to get into here, I added the equivalent line O DaemonPortOptions=Port=587, Name=MSA, M=E to sendmail.cf directly). I was going to bring up MSA, too. It should be noted, however, that MSA doesn't *require* authentication. Check out RFC 2476 for details. The RFC does lists authentication as an optional feature, however. I *think* the DaemonPortOptions line above will not require the authentication you mention. You need to specify 'M=Ea' instead of just 'M=E'. That's for sendmail...your MTA may vary. I recently posted a message to the SPF mailing list referring to the problem of spam cannon infected computers on broadband lines. I'm basically on the side of individual freedoms and don't like that port 25 egress filtering is being implemented by broadband vendors. But as long as there are vendors that will give you an unfiltered connection (even for a larger fee), with fixed IPs, I'll be happy. I wouldn't be opposed to vendors allowing this only if you host your own domains and email servers and point something at your fixed IPs so that you get the freedom, but with the attendant responsibilities. (Yes, I know that info is often faked, but that's a separate problem.) I do predict that spammers will adapt to this new authenticated email world rather quickly. Namely, they will modify their spam-cannon-laden viruses to pick up the user's SMTP server and username from his Outbreak config and either pick up the password from the config if it's saved, or sniff it as it's typed. With this information, they can continue to send spam *to appear as if it came from this user in every way*, including being sent through his ISP's SMTP server, and therefore bypass many spam filter that are based on blacklists or forged headers. But we will still be in a better place when it comes to spam. When enough clueless users get disconnected from their ISPs for spam propagation, they will either take more proactive measures to keep their systems clean of viruses, or put more pressure on their operating system vendors of choice to put security where it belongs: at a much higher priority than convenience. Or both. I don't much like many of the methods people are using or advocating for spam filtering. I particularly dislike *anything* that does uniform, system-wide filtering that *discards* any messages whatsoever. If it's not configured on a per user basis, then *rejection* and *bouncing* are the only acceptable options, in my view. And bouncing is usually ineffective, given the amount of forging of headers going on. So if you can't reject, then at the system level about all you should do is filter into the users' SPAM or JUNK or whatever folders. Never discard. *sigh* For the OP, I'd suggesting setting up an MSA, but if you plan on using TLS/SSL (recommended) you'll need to use 'M=Eas' instead of just 'M=Ea' (for sendmail). Run it on port 465 (smtps) so you can leave 587 (submission) for the typical 'M=Ea'. This is because our favorite MUA of all doesn't support STARTTLS on any port besides 25...it just goes straight to an encrypted connection instead of doing the STARTTLS negotiation. Have your parents change their port setting to 465, enable TLS/SSL, and enter a username/password pair that you create for them as SASL ids on your server. Sadly, I'd suggest that we all get used to this up and coming authenticated email world. In and of itself, it's not going to reduce spam...but it will potentially make it easier to identify the scum and use other, ahem, non-technical means to pursue them. Like cutting off their ... um ... well ... okay, not that, but at least cutting off their connections and using other means like jail time, seriously big LARTs, not inviting them to parties, etc, etc. ;-) -- -Paul Iadonisi Senior System Administrator Red Hat Certified Engineer / Local Linux Lobbyist Ever see a penguin fly? -- Try Linux. GPL all the way: Sell services, don't lease secrets ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
What you can do -- which is what we did -- is set up SMTP to occur on an arbitrarily high port (that won't be blocked), and tie that port to SMTP on the server. NOTE: I'm talking about a situation where complete control is had on a server, and outbound port 25 is blocked for a client. Not the opposite case, wherein some poor schmo with a box on a cable modem suddenly has is _inbound_ port 25 blocked (though that's happened to me as well). $.02, -Ken On Mon, 10 May 2004, Steven W. Orr stated in their Email: Steve From: Steven W. Orr [EMAIL PROTECTED] Steve To: Travis Roy [EMAIL PROTECTED] Steve Cc: GNHLUG [EMAIL PROTECTED] Steve Date: Mon, 10 May 2004 10:35:47 -0400 (EDT) Steve Subject: Re: Comcast blocking port 25? (not what you think) Steve Steve On Monday, May 10th 2004 at 06:47 -0400, quoth Travis Roy: Steve Steve =This isn't about Comcast blocking port 25 to prevent you from running a Steve =server.. Steve = Steve =Recently my parents (that use Comcast) can no longer connect to port 25 Steve =of my server.. one that is legit, has correct reverse and MX records. Steve = Steve =Has anybody else seen this? Steve = Steve =Can anybody suggest a workaround. Steve Steve This is no help for your problem, but I'll tell you what happened to me. Steve Steve I'm in Framingham and I have a choice (currently) between RCN and comcast. Steve Steve I'm with RCN but a while ago they shut off incoming port 80. Later on they Steve shut off outgoing port 25. For the princely sum of only $240/year, I get Steve the honor and priviledge of having those ports opened up. And I'm Steve guaranteed that my IP address won't change. Ever. Steve Steve ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Comcast blocking port 25? (not what you think)
On Mon, 10 May 2004, at 11:23am, [EMAIL PROTECTED] wrote: Mail abuse. A great deal of spam and other mail abuse comes from computers on consumer feeds that are incorrectly configured as a mail relay (don't ask me how, but it happens more often then you would think), or have been compromised by some kind of malware and are being used as same. At the same time, SMTP was designed to move mail between static, well-connected systems. Hosts on dynamic, consumer feeds do not meet that definition. My parents are not running any kind of server. You'll notice I never said they were. Comcast doesn't (and can't) know you're not using TCP port 25 for mail abuse, though. By forcing you to authenticate to their system, and pass your mail through their system, though, they can monitor things, enforce limits, add an audit trail to the headers, etc. That is exactly what they are trying to do, send the mail to my server so I can do the job of dealing with their mail. Then you should be using an MSA, not an MTA. Or at least, that's what conventional net.wisdom says. Didn't you get the memo? :) -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Anti-spam methods (was: Re: Comcast blocking port 25? (not what you think))
On Mon, May 10, 2004 at 02:21:02PM -0400, Paul Iadonisi [EMAIL PROTECTED] wrote: I was going to bring up MSA, too. It should be noted, however, that MSA doesn't *require* authentication. Check out RFC 2476 for details. The RFC does lists authentication as an optional feature, however. I wasn't aware of this. A previous cursory glance of the RFC and other reading made it seem like authentication was required. I thought that was the point, even. A re-glance at the RFC makes me think you are indeed correct. I *think* the DaemonPortOptions line above will not require the authentication you mention. You need to specify 'M=Ea' instead of just 'M=E'. That's for sendmail...your MTA may vary. Ooh, you made me check quickly to ensure that I'm not in fact an open relay. However, I attempted to send mail from a user in the domain, without logging in, outside the domain, and still got a Relaying denied message, so I think I'm okay here. Perhaps other parts of my config are compensating. I do predict that spammers will adapt to this new authenticated email world rather quickly. Namely, they will modify their spam-cannon-laden viruses to pick up the user's SMTP server and username from his Outbreak config and either pick up the password from the config if it's saved, or sniff it as it's typed. That seems likely, but how much email is send from virus-attacked computers? The SPF approach seems to have the goal on making DNS-based blacklists reasonable, not addressing the spam-from-a-virus problem. But we will still be in a better place when it comes to spam. When enough clueless users get disconnected from their ISPs for spam propagation, they will either take more proactive measures to keep their systems clean of viruses, or put more pressure on their operating system vendors of choice to put security where it belongs: at a much higher priority than convenience. Or both. One can always hope... -- Bob Bell ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Anti-spam methods (was: Re: Comcast blocking port 25? (not what you think))
On Mon, 10 May 2004, at 2:21pm, [EMAIL PROTECTED] wrote: I'm basically on the side of individual freedoms and don't like that port 25 egress filtering is being implemented by broadband vendors. Geeks (I include myself in this category) like to romanticize this idea of the big, happy Internet, where all people are equal, censorship is treated as damage, and so on. I'm afraid that is a myth. That mythical Internet does not exist, and never has. You can connect your equipment to somebody else's equipment. That's it. If you're big enough, the somebody else might be a peer. Most people just pay for a link or two to companies that specialize in network connections. Regardless, you're connecting to *their* equipment, and they can run it however they see fit. If nobody is willing to give you connection on their terms, you do not get connected. It has always been this way. I find it helps to keep this in mind, when people start feeling their freedom has been infringed because their ISP doesn't let them do everything they want to. But as long as there are vendors that will give you an unfiltered connection (even for a larger fee), with fixed IPs, I'll be happy. Indeed. Paying a higher fee for a higher class of service will always get you better treatment. Here, too, realize you're not just paying for IP address space, you're paying for the promise of support. Not just the guy answering the phone when you have trouble, but support in the sense that your ISP won't mess you up like this. I do predict that spammers will adapt to this new authenticated email world rather quickly. [...] But we will still be in a better place when it comes to spam. When enough clueless users get disconnected from their ISPs for spam propagation ... Heck, just the fact that it adds an audit trail to the message headers (so I, as a mail abuse victim, can trace it back more easily) is worth it. It also means an ISP will be able to notice that Subscriber #53429 is sending way more mail then is reasonable, and thus take action to cut off the spam before as much spam gets sent. [Users] will either take more proactive measures to keep their systems clean of viruses, or put more pressure on their operating system vendors of choice to put security where it belongs: at a much higher priority than convenience. Or both. Add to that: After Joe Luser has had his feed cut a few times, maybe he will think twice before installing whatever random software he finds on the net. Sadly, I'd suggest that we all get used to this up and coming authenticated email world. s/email// -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Anti-spam methods (was: Re: Comcast blocking port 25? (not what you think))
On Mon, 10 May 2004, at 6:00pm, [EMAIL PROTECTED] wrote: I do predict that spammers will adapt to this new authenticated email world rather quickly. Namely, they will modify their spam-cannon-laden viruses ... That seems likely, but how much email is send from virus-attacked computers? All we can tell for sure is that quite a lot of spam currently comes direct from consumer Internet feed address space. Possible sources include: - People who manage to configure open relays or open proxies, either through poorly designed software, or user incompetence. These people get relay-raped. - Spammers who buy Internet feeds, use them until they get caught, and then fade back into the woodwork. - Users who unintentionally run spam-relay software. These include Trojan software (the game that also sends spam or whatever), click me worms that depend on the user, and self-propagating software that attacks vulnerable software. - Users who intentionally run spam-relay software, because the spammers claim (truthfully or not) they will pay the users for doing so. The SPF approach seems to have the goal on making DNS-based blacklists reasonable, not addressing the spam-from-a-virus problem. SPF prevents spammers from spoofing a domain that does not want to be spoofed. That has value by itself, as it means you can now whitelist on selected From addresses reliably. It is unlikely SPF will actually stop spam. -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss