Comcast XFINITY → [E-mail] Comcast Business Class update on 05/14/2011 causes outa

So I have had Comcast Business Class service for a number of years now inthat I run a number of my own servers for VPN, web, and mail for my own domains. Seems that Comcast rolled out a change to their production environment sometime between Friday night and Saturday morning that now requires that people on the Comcast Business network to authenticate to the SMTP server even on port 25. My current configuration has been working without problems for the past three and a half to four years.
Last correct email sent:

May 13 18:54:31 shelob postfix/smtp[65473]: 92A6F2977DA: to=, relay=smtp.comcast.net[76.96.30.117]:25, delay=1.1, delays=0.04/0.01/0.52/0.5, dsn=2.0.0, status=sent (250 2.0.0 jDuW1g00N0mzNQA01DuX9s mail accepted for delivery)

First failed email sent:

May 14 03:01:11 shelob postfix/smtp[68241]: 678E12977DA: to=, orig_to=, relay=smtp.comcast.net[76.96.30.117]:25, delay=4.4, delays=0.05/0.03/2.4/2, dsn=5.1.0, status=bounced (host smtp.comcast.net[76.96.30.117] said: 550 5.1.0 Authentication required (in reply to MAIL FROM command))

When I called on Sunday (Always like to give the folks at least 24 hours to clean up their own mess) I could hear the other support staff on the phone dealing with other customers with the SAME problem, so I am quite aware this is not just me having this problem.
Called again this morning (Monday) and took quite some time for them to get to my call (As I suspect that all the other Comcast Business Class customers running their own mail servers are now also unable to send email). Still no ETA as to when they will roll back their changes.
Kinda sad inthat I would expect that any two bit mom and pop ISP would know enough to roll back a change to your production environment when it adversely affects your customers until you can better identify and resolve the problem, but not Comcast, They are just too big, and in my case, the only gig in town.

I have no idea about the change and if intentional warning would have been better, but, if you're using the Comcast SMTP servers as a relay, why aren't you authenticating?

Again, my config has been stable for a number of years without change. As for not authenticating, I don't know with what credentials I would authenticate inthat I have never had to do so in the past. Never got that far with the support people.

I also currently use smtp.comcast.net as a smarthost relay while I am waiting for my rDNS/PTR records to be setup for my email server's domain name. I did not even know that smtp.comcast.net would work without authentication.

I think that technically a Comcast Business Class user is not supposed to be using smtp.comcast.net as a relay, but I had previously done it with a residential account, and those residential account email addresses were/are still valid, so I use one of them to authenticate.

If you have created an account on the Business Class Portal site, you should be able to use your Business Class Portal account credentials to authenticate to smtp.po1.comcast.net as shown here: »businessclass.comcast.ne ··· rodEmail (you need to be logged in to see that page).

Here is a screen capture from that page, but you will need to setup an account in order to use the SMTP server to relay your email:

Just because it worked, doesn't mean it's how you should be doing it. What NetFixer posted would be the way to go. You should ALWAYS be authenticating everything when using a relay like that.

Even so, it seems like authentication credentials is something that even the lowest level support person should be able to give you quickly. (That has to be in the script)

biz class reps don't have a script, but yes, it's common info easily found by the rep and the user on comcasts site.

Netfixer,

Any luck with your set up?

I don't quite get the "ALWAYS be authenticating everything". I have static IP addresses on the correct subnet from within the Comcast network, and as such my server should not be required (and has not in the past been required) to authenticate.

I was unaware of the Business Class Portal site till it was just noted by NetFixer above. It was not brought up by the support tech. And since I had been running without problems for a number of years I have not needed to call support but once in a while for network outages.

I have now created an account on The Business Class Portal. Seems to be mostly aimed at Windoz users. All my systems are Unix (FreeBSD as edge routers and servers, some Solaris UltraSPARC Enterprise server systems and a few Linux boxes).

Now have to spend all sorts of time investigating new configurations because Comcast makes a change without informing their customers or even their own tech support. I am not impressed.

Even with a static, or rather known IP address range, legitimate devices can be compromised and easily create a connection to the SMTP server which without authentication would have no choice but to forward the traffic. Requiring authentication, even from inside users, lowers the probability that a compromised device can successfully send SPAM e-mail.

While if this was an intended change it could have been handled better possibly, I'm more surprised they have not required it until now and I am glad they do.

AVonGauss pretty much hit the nail right on the head. For me, I would have been asking how to authenticate my server setup from day one. But, I believe authentication is a good thing for server use, especially mail relays.

So just a quick update.. I have talked to customer support a total of 5 times now, the last being before I posted the original message that started this thread. They were supposed to call me back (second tear support) by 3:00 today, they set the time not me. (it's now 3:47).

I modified my postfix configuration on my mail server to enable smtp sasl and used the credentials of my newly created portal account and smtp.po1.comcast.net:587 (Thanks as well NetFixer for pointing the portal account site out to me) and all is now working.

I will call Comcast Business support line and fill them in so maybe they can help other people that got hit by this unannounced update.

Just really wish they could have given me a heads up before making this kind of change and any followup after the fact would have gone a long way.

You can also use smtp.hmc1.comcast.net with BC, just FYI..

Authenticating is also a good idea because if you are using their smtp as a smarthost, some spam filtering will majorly penalize you for not authenticating, thinking that it is an open relay.

Comcast Business-class customers should NOT be using "smtp.comcast.net" as their outbound server. This is only to be used by Comcast residential customers. You are correct in that there was a recent change to Comcast.net where some IP ranges were removed from the "on-net" list that allows Residential customers to use non-AUTH port 25.

If you are a Business-class subscriber, you must user either of these outbound servers (depends on where your mailbox resides):
smtp.hmc1.comcast.net
smtp.po1.comcast.net
smtp.po2.comcast.net

For Business-class service, you are required to authenticate over 25. 465, and 587.

See my update further down the thread...

We apologize for the unfortunate impact to you and other subscribers. We did not anticipate that a change to the Residential mail platform would impact Commercial subscribers. Several customers like yourself were using the residential SMTP server for quite awhile and our policies on the residential mail servers were allowing your IP to bypass AUTH.

By changing your Outgoing SMTP server in your mail client, this will fix the problem and you will be Authenticating through the Commercial mail servers.

Pleas switch SMTP outbound to: smtp.hmc1.comcast.net