Workarounds for blocked port 25 on outgoing e-mail

[Logan]

On 8/20/05, Jay Banks <jay.quest4 at gmail.com> wrote:

> I don't quite understand what you are saying. I have multiple POP3
> accounts with a virtual host and my servers at work, etc. I can get
> e-mail from them all day long, but every ISP I use blocks my attempts
> to send through them. I get "no socket" errors when I try and connect.

Again, POP3 access is NOT SMTP access.  They are seperate issues,
seperate protocols.  That's why you can download your mail using POP3,
but have problems sending it out using SMTP.

> Same thing for our company employees not physically located
> in our area. They can get e-mail from our server (MS Exchange
> for them) just fine, but none of them can send mail through it. Not
> because of something on my side, but because of the ISP they use.

Without knowing the details of your Exchange configuration, I'm not
sure that's true.  They may very well be blocked by the anti-relay
features of Exchange.  Think about this...  how does Exchange,
connected to ProviderA  know that UserB connected through ProviderB is
one of your users?

> I would like to solve the problem for the above reasons, but it
> would also be nice to offer POP3 access to customers and
> know that they could use it from any location without having
> to resort to some web-based front end.

If their email address is in your domain, and routed to your Exchange
server, then this should "just work"....  for downloading their mail
with POP3.  Of course, that assumes that you have port 110 (or 143 for
IMAP) access available from outside your network.

> > Port 587 is the mail submission port, and is supported by sendmail,
> > postfix, exim etc with little problems. 
> 
> I just played around with this for a little bit and it doesn't work for
> POP3 servers through esosoft.com. Not sure if it is them or my ISP,
> though.

Are you meeting their authentication requirements?  Simply changing
the port number usually won't work.  You also have to configure your
client to authenticate to their mail server.

> Doug Hardie wrote:
> > Blocking external use of port 25 is a simple, but misguided, approach
> > to spam control.

Blocking port 25 outbound is a flame-war generator.  :)  I wish MORE
large providers would do it myself.  It's an effective way to limit
the spewage from zombie farms on their customer's machines.  It's much
better than the providers who are the victims of that spewage trying
to guess which of those customers are infected zombies on dynamic
connections and blocking those.

> > It creates too many problems for people who are
> > properly using mail.  The better approach is to require the use of
> > SMTP-AUTH (preferrably with TLS) before permitting any mail routing.
> > If all MTAs did that there would be no need to block port 25.

Nope, that wouldn't address the main issue at all.  That issue is
hundreds of thousands of users with a "zombied" machine sending spam
directly to other provider's mail servers on port 25.  No relaying
involved.  That's what the port 25 blocks are trying to shut down.  Of
course, spammers will adapt, (and have already started), but it still
cuts out a major swath of spam.

> Logan wrote:
> > Your access provider should be able to handle outbound
> > email for you with very little trouble. It's probably as easy as
> > asking what they recommend as the outbound/smtp mailserver
> > for you.
> 
> Honestly, there is a way around this. My ISP can add
> the IP address of my hosted POP3 servers into a
> permit list. 

How much control do you have over the MTA software config on your
hosted servers?  Can you set them up to answer on 587 and offer
SMTP-AUTH?

> I asked the DSL providers of one of our employees
> in another town to unblock port 25 for that employee...
> and the guy **laughed** at me.

That's unprofessional, but hardly surprising if the employee has a
standard consumer dsl account with a dynamic IP address.  I've seen
DSL IP's change as often as every two hours, which would mean they
would have change their blocking list ever two hours.

> That is what I setup with my sendmail/popa3d configuration.
> And honestly, after looking at the alternatives, this seemed
> to be the easiest route to go. 

It is a bit of a kludge.  My recommendation would be Postfix with
SMTP-AUTH.  It's not THAT tough to set up, and Postfix has the best
documentation for it that I've seen.