[NCLUG] comcast blocking port 25?
Stephen Warren
swarren at wwwdotorg.org
Wed Mar 7 10:16:39 MST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Matt wrote:
> Hi,
>
> A friend of mine said that Comcast blocked port 25, at least on his
> machine. I don't know if comcast is selectively picking machines to
> block (my friend has a mail alias that broadcasts to about 100 people
> and I don't know if that is something comcast sees). If they do that
> to me I want to know what I need to do. I send my outgoing email
> through comcast's authenticated server (mainly so my spam filter
> doesn't toss my own mail) and I assume that's OK and won't change. Is
> that a bad assumption? I receive my email on port 25, too. Will that
> be blocked? My understanding is that port 587 should be used. Should I
> configure postfix to look at both 25 and 587? If so, how?
When you're talking about blocking the port, there are two issues.
First, there's where you send your outbound data - either port 25 or
port 465/587 on the Comcast server. This has nothing to do with
blocking, and is simply a policy decision on Comcast's part. I have no
idea what their policy is.
Secondly, there are inbound connections to your machine. If you run your
own SMTP server and it's an MX for a domain, inbound connections must
come in on port 25 (it's the only port other server will ever connect
to[1]). Comcast may well have chosen to block inbound port 25
specifically to prevent people running servers, which I believe is
against the TOS. (although last time I checked - a long time ago - I
don't think they did, but I know Cox in Phoenix AZ does).
I get around this by renting a user-mode-linux virtual host, and hooking
up a VPN connection from my home server to the virtual server. All
outbound mail is sent over the VPN to the virtual host via postfix's
smarthost setting. Inbound connections come in to the virtual host's IP,
which then DNAT's the connection across the VPN to my server. All hidden
from Comcast:-)
[1] Unless you e.g. get a mailhop service from dyndns.org, which I
believe can be configured to connect to a different port on your server.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF7vN3hk3bo0lNTrURAjyEAKCDMS+U51JRuZeonLC7B/DheP5AzQCg3Mwa
/Q8/h1N+CCG9Yv/EhnjDr0Q=
=wfmx
-----END PGP SIGNATURE-----
More information about the NCLUG
mailing list