CenturyLink → Re: Why is _incoming_ port 25 blocked?

Isn't it on email, port 25 is used for outgoing & port 110 used for incoming?

Yes, port 25 is used to send mail, and port 110 is used to place an outgoing connection to fetch incoming mail (POP3).

I want to receive others' outgoing mail directly at my machine, and I cannot because the port is apparently blocked both directions, not just outgoing.

»qwest.centurylink.com/in ··· -25.html

This affects all CL customers on a Dynamic IP. You can try Chat Support and ask them to turn it off, but you will probably have to order a static IP to get it done.

it might depend on your (former) provider. with qwest (q.com), my incoming is on port 110 and outgoing is on 587

Those are some of the ports used by email clients to communicate with the email server. Email servers communicate with each other using Port 25, which is what the OP is trying to get working.

Well, sort of. With AT&T (nee SBC), outbound port 25 connections were blocked effective Sept., 2002, but inbound port 25 connections were not (outbound could be unblocked by request). When I changed service to Sonic.net, LLC, port 25 connections were blocked in both directions for dynamic accounts, but not blocked at all for static accounts.

Keep in mind; if you run email service, you must have inbound port 25 access, or other ESPs won't be able to forward email to your domain. Port 25 access on dynamic residential accounts varies by ISP, depending on their policies.

I've had various issues with open ports being unaccessible remotely, and I've been told repeatedly by support staff that it is not their policy to block any ports except for port 25 outgoing.

It's very frustrating because either this is not the truth, or else the ports are being blocked unintentionally or unbeknownst to the support staff.

Then they don't really know CL policy for ports. For residential, dynamic IP connections, almost all ISPs block at least some of the NetBIOS ports (136-139), and, I think it was 445 used by one of the Internet worms.

The average residential Internet user doesn't need access to every TCP/IP port, and probably isn't knowledgeable to secure them. Unfortunately, most ISPs charge extra for the level of service which allows access, if they offer it at all.

said by NormanS :

---

Then they don't really know CL policy for ports.

---

Unless you work for them, or you have a reference, you don't either. Unless you want to make it clear who you are representing, you're just speaking in generalities about ISPs, and that's not very helpful to me.

The person I chatted with on customer support suggested the possibility of a static IP address, which could have outgoing port 25 unblocked on request, but since he was unaware of any blocking for incoming port 25 access, he was unsure whether that would even help.

The rep is correct: »qwest.centurylink.com/in ··· t25.html
»www.centurylink.com/Page ··· agement/

I have Cox and Port 25 is blocked in both directions. »ww2.cox.com/residential/ ··· 00000000

However, SMTP is permitted outbound to Cox-provided SMTP servers.

"I cannot receive mail at my primary MX, (set up through a dynamic DNS provider) because the port is blocked."

I think this is your problem. The following are the ports to use for e-mail sending and receiving on CL.
»qwest.centurylink.com/in ··· ngs.html

I use Gmail and I get my mail from Cox using POP.

Well, sir, I am, indeed, speaking in generalities; based on my direct experience of two ISPs (SBC/AT&T and Sonic.net, LLC), as well as indirect knowledge of the policies of a handful of other ISPs. And both offer static IP addresses, with open access to most ports (that I know of, though I don't need, so haven't tested, the NetBIOS ports.

If getting a static IP address is not an option for you, though it is offered by CenturyLink, then I am truly sorry that I can't offer any other advice. Just the observation that port 25 is widely blocked in both directions on residential, dynamic IP services.

If you are going to operate your own mail server, you really need a static IP. This opens up Port 25 so your server can receive mail. You should also have your server forward all outgoing mail to the CenturyLink SMTP server to prevent it from being treated as spam by other mail servers. I would recommend logging into your CL primary account and creating a separate email address just for the server.

I stand corrected. Thanks for the link and info, both of you.

I guess I shouldn't be surprised, but I'm rather appalled that front-line customer support staff weren't aware of their company's policy, which would have saved me a whole lot of time, aggravation, and frustration. The attitude that really frosts me is that 99% of the support staff don't need to know what 99% of the customers don't need to know, and ISPs can just start blocking ports and filtering all and sundry willy-nilly when they feel like it, because 99% of the general public doesn't need to access anything but Facebook, Google, and YouTube on a residential internet connection.

My beef with Gmail and kin is that they all tend to have this same 99% attitude. 99% of my emails get through, but there's that 1% that doesn't---sometimes very important messages---get caught in the deep dark void of google's spam filter, and do not even show up in my spam folder, so I'm completely unaware of them, or else there is a site I cannot access because Gmail silently discards my password recovery mail as spam.

I believe that all spam filtering should be done at SMTP time, and when and if an email is accepted for delivery, it should be delivered: any further filtering should be in full control of the end user. There is no reason to break that expectation.

It's frustrating when gmail accepts mail on my behalf, and then silently discards it as spam, and I have yet to find a viable alternative.

said by "billaustin" :

---

You should also have your server forward all outgoing mail to the CenturyLink SMTP server to prevent it from being treated as spam by other mail servers.

---

I already do that via gmail. Although I am not 100% happy with gmail, I think my best solution for now in this case is to leave my MX pointing only to google's mail servers, and then use a utility called fetchmail to retrieve mail via POP and deliver it locally on my machine.

In any case, (except for the shoddy spam filtering I have to put up with) I can have the full functionality of a mail server even though I am not sending or receiving mail directly on port 25.

I would that I could have offered direct links, but CL wants zip codes, and mine doesn't work for them. So I tried shooting in the dark.Again, in my experience, there is nothing random about port blocking. For the NetBIOS ports, the ISPs are not selling local area networking; and NetBIOS is inherently insecure, and not suited for use on wan (the public Internet). It is a part of the ISPs own network security policy to force sharing through specific user applications (most ISPs don't block FTP, that I am aware of).

For SMTP service, most ISPs offer their own, in-house, or sub-contracted email service. But most residential users don't even think about security at all, and some are prone to fall prey to 'bots, which take over their system to spew spam outbound to port 25. When I first started running my own server, I actually counted incoming port 25 connections (at that time still permitted on SBC) from dubious sources. The two largest offenders were SBC (1st in spam, 2nd in customer count) and Comcast (2nd in spam, 1st in customer count). By the end of 2002, each ISP had implemented port 25 policies (Comcast would push a port 25 blocked modem config file to offending customers; SBC just implemented a system-wide block on outbound port 25). By the summer of 2003, both ISPs were in a dead heat for dead last in dubious SMTP connections from compromised customer machines, with Verizon and Road Runner the two top offenders. As a spam mitigation technique, port 25 blocks work.

Aside from some vulnerable Windows networking function on, I believe, port 445, I am not aware of any other widely blocked ports. ISPs are responsible for the security of their networks, and will, even should, implement security policies for the greater good of their customers.

I believe there exists a small, tech-savvy subset of ISP customers capable of responsible access to useful ports, for whom an ISP should offer a different level service, at a reasonable fee. Many ISPs do just that (with the probable caveat that their fees may not be reasonable) by offering static IP address packages.I agree, and the viable alternative, if one is willing to tackle the job, is to run one's own mail server. I like that my ISP does offer static IP addresses for a reasonable fee; to include setting rDNS, so the server host name is in my domain.

There is another "middle" option: a web hosting package with email. I'm a very happy customer of Fused.com and it would cost you a whopping $15/month for some web hosting space and email, and you have control over every aspect of your email -- perfect if you want to pair it with fetchmail that js339 mentioned to pull it from their server to yours.

You gain a permanent IP for your mail and backup space online even if you never put anything on the web side except a placeholder page. I'm pretty picky when it comes to paying anyone for server space and I've got to say Fused never fails to impress - and that's coming from the grouchiest admin around!

Is that IP address yours alone, or shared with others? I ask because DNSBLs list IP addresses; if one of your IP neighbors is caught in a DNSBL listing, your server will also be.

For Fused.com, anything less than $100 per month is shared. There are free shared web hosts for that matter, and yes most of them include shared email. That doesn't gain me anything over any other shared email provider.