dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
13610
share rss forum feed


dslcreature
Premium
join:2010-07-10
Seattle, WA
reply to NetFixer

Re: Comcast decides to block port 25 IN and OUT with no notice.

said by NetFixer:

That is a broken record response; not reality. You can use
whatever port that any mail submission server supports except for port 25

This does not help when the server I want to send is only listening on port 25.

said by NetFixer:

How about checking with your mail submission server's admin to find out how to properly use their service? And

FWIW, "Connection refused" is an authentication response, not a connectiblity response; either you are trying to use a mail submission server where you don't have a valid account, or you are not properly authenticating to that server.

It means what RFC 793 says it means.

said by NetFixer:

I would have no problems (and in fact don't have any problems) sending email through the email servers shown in the above example; but I do have to properly authenticate with those servers in order to do so.

It seems to me that you currently do have Internet access. Not being allowed to use port 25 is the normal situation for residential Internet accounts with most ISPs; Comcast is just finally joining with the rest of the industry.

Life happens; get on with yours.

I know of plenty ISPs not blocking outgoing 25. I will most likely be switching to one of them.

saratoga66

join:2002-08-22
Saratoga, CA
said by dslcreature:

I know of plenty ISPs not blocking outgoing 25. I will most likely be switching to one of them.

I think you should be looking for a new email provider not an ISP. Any email provider that doesn't allow any port other than 25 is probably in bad shape and will be going out of business soon.

As stated in this thread, most residential ISP's block port 25 and the ones that don't probably eventually will.

I connect to multiple email providers with my Comcast connection. I have not used port 25 in many years.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to dslcreature
said by dslcreature:

I know of plenty ISPs not blocking outgoing 25. I will most likely be switching to one of them.

Any of them on the national level?

Around here:

• AT&T: Blocks port 25 in/out on dynamic residential service.
• Comcast: Blocks port 25 (new) in/out on dynamic residential service.
• DSL Extreme: Blocks port 25 out (not sure about in) on dynamic residential service.
• Paxio: I don't know, but not widely available outside of the City of Santa Clara.
• Sonic.net, LLC: Blocks port 25 in/out on dynamic residential service.

All of the listed port 25 blocking ISPs prohibit running servers from dynamic residential service.

All of the listed port 25 blocking ISPs have a provision for unblocking; most for additional cost.

Since you are referring to the RFCs, know that the RFCs permit ISPs to take steps to mitigate abuse of their network. And one, in particular, addresses user message submission: RFC 6409.

And, yes, if you must have access to port 25, find yourself an ISP which permits it.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


dslcreature
Premium
join:2010-07-10
Seattle, WA
said by NormanS:

said by dslcreature:

I know of plenty ISPs not blocking outgoing 25. I will most likely be switching to one of them.

Since you are referring to the RFCs, know that the RFCs permit ISPs to take steps to mitigate abuse of their network. And one, in particular, addresses user message submission: RFC 6409.

And, yes, if you must have access to port 25, find yourself an ISP which permits it.

Thankfully was able to effectively bypass the port blocking so I will be sticking with comcast after-all. Here in city of rain we still have local choices.

RFCs are not enforceable nor are they grants of authority or legitimacy. While some may communicate best practices there is no "permit".

Email is teetering on the edge of uselessness. Totally insecure, untrusted, unreliable and as much spam as ever. Every well-intentioned measure imposed over the years just makes life more difficult for the user and solves nothing in the end. XMPP or solutions like it are the future.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
said by dslcreature:

RFCs are not enforceable nor are they grants of authority or legitimacy. While some may communicate best practices there is no "permit".

I suppose the same can be said for social courtesy. But Robert Anson Heinlein's Lazarus Long noted that:
quote:
Moving parts in rubbing contact require lubrication to avoid excessive wear. Honorifics and formal politeness provide lubrication where people rub together. Often the very young, the untraveled, the naive, the unsophisticated deplore these formalities as “empty,” “meaningless,” or “dishonest,” and scorn to use them. No matter how “pure” their motives, they thereby throw sand into machinery that does not work too well at best.

The RFCs are like oil on the moving parts in rubbing contact. To disregard the RFCs is to throw sand into the machinery.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


dslcreature
Premium
join:2010-07-10
Seattle, WA
said by NormanS:

said by dslcreature:

RFCs are not enforceable nor are they grants of authority or legitimacy. While some may communicate best practices there is no "permit".

I suppose the same can be said for social courtesy. But Robert

The RFCs are like oil on the moving parts in rubbing contact. To disregard the RFCs is to throw sand into the machinery.

Who used the word disregard? Hint it was not me. I pointed out the word "permit" is inaccurate in the context it was used.

The reality is most RFCs never see widespread adoption or even ever implemented. Legitimacy and value are driven by the marketplace.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
said by dslcreature:

The reality is most RFCs never see widespread adoption or even ever implemented. Legitimacy and value are driven by the marketplace.

Indeed; how would one implement RFC 2549?
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to dslcreature
said by dslcreature:

said by NetFixer:

That is a broken record response; not reality. You can use
whatever port that any mail submission server supports except for port 25

This does not help when the server I want to send is only listening on port 25.

In that case, you will need to find either an alternative mail submission server, or make a change in your ISP. I had to do that over a decade ago when my ISP BellSouth started blocking port 25, and their hosting service (I used BellSouth for both services at that time) only accepted mail submission on port 25. I dropped both services and went with Covad as my ISP, and I hosted my own email server.

said by dslcreature:

said by NetFixer:

How about checking with your mail submission server's admin to find out how to properly use their service? And

FWIW, "Connection refused" is an authentication response, not a connectiblity response; either you are trying to use a mail submission server where you don't have a valid account, or you are not properly authenticating to that server.

It means what RFC 793 says it means.

You must be connecting to (or trying to connect to) an interesting server, because the RFC you referenced says that the "Connection refused" reply is used when an already OPEN connection is reset.

Every connection attempt I make to multiple servers that do not support (or block) specific ports returns a "Connect failed" reply.

C:\>telnet fmailhost.isp.att.net 25
Connecting To fmailhost.isp.att.net...Could not open connection to the host, on port 25: Connect failed
 
C:\>telnet fmailhost.isp.att.net 587
Connecting To fmailhost.isp.att.net...Could not open connection to the host, on port 587: Connect failed
 
C:\>telnet mail.bellsouth.net 25
Connecting To mail.bellsouth.net...Could not open connection to the host, on port 25: Connect failed
 
C:\>telnet mail.bellsouth.net 587
Connecting To mail.bellsouth.net...Could not open connection to the host, on port 587: Connect failed
 
C:\>telnet smtp.dcs-net.net 25
Connecting To smtp.dcs-net.net...Could not open connection to the host, on port 25: Connect failed
 
C:\>telnet smtp.dcs-net.net 587
Connecting To smtp.dcs-net.net...Could not open connection to the host, on port 587: Connect failed
 

said by dslcreature:

said by NetFixer:

I would have no problems (and in fact don't have any problems) sending email through the email servers shown in the above example; but I do have to properly authenticate with those servers in order to do so.

It seems to me that you currently do have Internet access. Not being allowed to use port 25 is the normal situation for residential Internet accounts with most ISPs; Comcast is just finally joining with the rest of the industry.

Life happens; get on with yours.

I know of plenty ISPs not blocking outgoing 25. I will most likely be switching to one of them.

Yes, there are ISPs who do not block outgoing (or incoming) port 25 sessions. In fact, you can subscribe to ISP services from both AT&T and Comcast in this area that do not block port 25. Neither of my current business class Comcast or AT&T connections block port 25.

--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to dslcreature
said by dslcreature:

Thankfully was able to effectively bypass the port blocking so I will be sticking with comcast after-all. Here in city of rain we still have local choices.

Glad to hear that you found a solution. I think that many of us would like to know how you did that without using an alternate mail submission port. Did you change your email hosting service? Were you actually able to find someone at Comcast (especially during the weekend) with the authority and knowledge to be able lift the port 25 block from your account? Were you using a Microsoft email client with Microsoft's annoying tendency to revert the outgoing mail port to 25 despite what you set it to use?
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


dslcreature
Premium
join:2010-07-10
Seattle, WA
reply to NetFixer
said by NetFixer:

You must be connecting to (or trying to connect to) an interesting server, because the RFC you referenced says that the "Connection refused" reply is used when an already OPEN connection is reset.

Open in this context does not mean what you think it means. In TCP state machine transition to Established is what counts.

said by NetFixer:

Every connection attempt I make to multiple servers that do not support (or block) specific ports returns a "Connect failed" reply.

C:\>telnet fmailhost.isp.att.net 25
Connecting To fmailhost.isp.att.net...Could not open connection to the host, on port 25: Connect failed
 
C:\>telnet fmailhost.isp.att.net 587
Connecting To fmailhost.isp.att.net...Could not open connection to the host, on port 587: Connect failed
 
C:\>telnet mail.bellsouth.net 25
Connecting To mail.bellsouth.net...Could not open connection to the host, on port 25: Connect failed
 
C:\>telnet mail.bellsouth.net 587
Connecting To mail.bellsouth.net...Could not open connection to the host, on port 587: Connect failed
 
C:\>telnet smtp.dcs-net.net 25
Connecting To smtp.dcs-net.net...Could not open connection to the host, on port 25: Connect failed
 
C:\>telnet smtp.dcs-net.net 587
Connecting To smtp.dcs-net.net...Could not open connection to the host, on port 587: Connect failed
 

Often you will find firewalls drop incoming requests on unused ports and so the only feedback you are left with in this case is indisingushable from a timeout.


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 edit
said by dslcreature:

said by NetFixer:

You must be connecting to (or trying to connect to) an interesting server, because the RFC you referenced says that the "Connection refused" reply is used when an already OPEN connection is reset.

Open in this context does not mean what you think it means. In TCP state machine transition to Established is what counts.

said by NetFixer:

Every connection attempt I make to multiple servers that do not support (or block) specific ports returns a "Connect failed" reply.
...

Often you will find firewalls drop incoming requests on unused ports and so the only feedback you are left with in this case is indisingushable from a timeout.

And that was exactly my point. You earlier said that the server you want to connect to only listens to port 25 in one statement, and then later you said that you got a "Connection refused" reply when using an alternate mail submission port. If the server only listened to port 25, you should have never been able to establish a connection with Comcast blocking outbound port 25. Under those circumstances, getting a "Connection refused" reply would be most unusual (and that was why I posted the code showing that every server I tried returned a "Connection failed" reply).

And FWIW, here is an example where no firewall is involved at all:

C:\>telnet localhost 465
Connecting To localhost...Could not open connection to the host, on port 465: Connect failed
 

But I think that we are only discussing semantics here. The real question is how did you manage to get around Comcast's port 25 block if the server you needed to connect to only supports using port 25? You said that you found a workaround, but you did not tell us what that workaround was.

--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
IPv6 transport to TCP port 25 still works


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 edit
said by graysonf:

IPv6 transport to TCP port 25 still works ;-)

Ah yes, a good possibility. Actually, some of my mail submission and POP3 retrieval these days defaults to using IPv6, and Comcast overlooking the need for separate IPv6 firewall rules is certainly possible (for a while anyway).

And here is an example of a mail submission test session that defaults to using IPv6:

webhost:/ # telnet smtp.gmail.com 25
Trying 2607:f8b0:4002:c02::6c...
Connected to smtp.gmail.com.
Escape character is '^]'.
220 mx.google.com ESMTP q6sm33696733qeu.1 - gsmtp
quit
221 2.0.0 closing connection q6sm33696733qeu.1 - gsmtp
Connection closed by foreign host.
 

Since I don't have a port 25 block, I forgot about the possibility of an IPv6 firewall misconfiguration by Comcast. This is also somewhat related to the IPv4/IPv6 ICMP echo response differences for smtp.comcast.net as I was recently discussing in another thread:

C:\>ping smtp.comcast.net
 
Pinging smtp.g.comcast.net [2001:558:fe14:70::30] from 2601:5:c80:62:e291:f5ff:fe95:beac with 32 bytes of data:
 
Reply from 2001:558:fe14:70::30: time=47ms
Reply from 2001:558:fe14:70::30: time=40ms
Reply from 2001:558:fe14:70::30: time=43ms
Reply from 2001:558:fe14:70::30: time=42ms
 
Ping statistics for 2001:558:fe14:70::30:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 40ms, Maximum = 47ms, Average = 43ms
 
C:\>
 
C:\>ping -4 smtp.comcast.net
 
Pinging smtp.g.comcast.net [68.87.26.155] with 32 bytes of data:
 
Request timed out.
Request timed out.
Request timed out.
Request timed out.
 
Ping statistics for 68.87.26.155:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
 

--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


dslcreature
Premium
join:2010-07-10
Seattle, WA
reply to NetFixer
said by NetFixer:

And that was exactly my point. You earlier said that the server you want to connect to only listens to port 25 in one statement, and then later you said that you got a "Connection refused" reply

You assumed connection refused was generated by a layer above TCP: "FWIW, "Connection refused" is an authentication response"

said by NetFixer:

when using an alternate mail submission port. If the server only listened to port 25, you should have never been able to establish a connection with Comcast blocking outbound port 25. Under those circumstances, getting a "Connection refused" reply would be most unusual (and that was why I posted the code showing that every server I tried returned a "Connection failed" reply).

No TCP session was established. Connection refused came from the alternate port only. Would suspect your windows telnet client assuming nothing is being filtered.


$ telnet x.x.x.x 587
Trying x.x.x.x...
telnet: connect to address x.x.x.x: Connection refused


said by NetFixer:

But I think that we are only discussing semantics here. The real question is how did you manage to get around Comcast's port 25 block if the server you needed to connect to only supports using port 25?

Wish I had something useful to say. My workaround involved a little packet mangling and GRE.


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
said by dslcreature:

said by NetFixer:

And that was exactly my point. You earlier said that the server you want to connect to only listens to port 25 in one statement, and then later you said that you got a "Connection refused" reply

You assumed connection refused was generated by a layer above TCP: "FWIW, "Connection refused" is an authentication response"

Yes, I did initially assume that your "Connection refused" reply was a result of using an email client, and in that context that reply would have been an authentication problem.

said by dslcreature:

said by NetFixer:

when using an alternate mail submission port. If the server only listened to port 25, you should have never been able to establish a connection with Comcast blocking outbound port 25. Under those circumstances, getting a "Connection refused" reply would be most unusual (and that was why I posted the code showing that every server I tried returned a "Connection failed" reply).

No TCP session was established. Connection refused came from the alternate port only. Would suspect your windows telnet client assuming nothing is being filtered.


$ telnet x.x.x.x 587
Trying x.x.x.x...
telnet: connect to address x.x.x.x: Connection refused

And I also said (see that quote below) we were only discussing semantics at that point. And, FWIW, the results below are from an OpenSuSE telnet client if one's OS needs to be brought into the conversation (and still no "Connection refused" reply from here).

webhost:/ # telnet fmailhost.isp.att.net 587
Trying 204.127.217.18...
telnet: connect to address 204.127.217.18: Connection timed out
 
webhost:/ # telnet fmailhost.isp.att.net 25
Trying 204.127.217.18...
telnet: connect to address 204.127.217.18: Connection timed out
 
webhost:/ # telnet mail.bellsouth.net 587
Trying 204.127.217.17...
telnet: connect to address 204.127.217.17: Connection timed out
Trying 207.115.11.17...
telnet: connect to address 207.115.11.17: Connection timed out
 

Also FWIW, I am not the one filtering the information in my posts; I have used real hostnames and real IP addresses in every post I have made in this thread (and in almost every thread I have posted in on this site).

said by dslcreature:

said by NetFixer:

But I think that we are only discussing semantics here. The real question is how did you manage to get around Comcast's port 25 block if the server you needed to connect to only supports using port 25?

Wish I had something useful to say. My workaround involved a little packet mangling and GRE.

Well, if you don't want to tell us what you did...

--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


dslcreature
Premium
join:2010-07-10
Seattle, WA
said by NetFixer:

And I also said (see that quote below) we were only discussing semantics at that point. And, FWIW, the results below are from an OpenSuSE telnet client if one's OS needs to be brought into the conversation (and still no "Connection refused" reply from here).

I broke this down in earlier messages about the firewalls. All of these sites have firewalls that drop packets on these ports. You won't be seeing any response from these particular sites its standard operating procedure.

If you really want to see connection refused for yourself try
telnet route-server.cerf.net 587

said by NetFixer:

Also FWIW, I am not the one filtering the information in my posts; I have used real hostnames and real IP addresses in every post I have made in this thread (and in almost every thread I have posted in on this site).

Good for you


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
said by dslcreature:

said by NetFixer:

And I also said (see that quote below) we were only discussing semantics at that point. And, FWIW, the results below are from an OpenSuSE telnet client if one's OS needs to be brought into the conversation (and still no "Connection refused" reply from here).

I broke this down in earlier messages about the firewalls. All of these sites have firewalls that drop packets on these ports. You won't be seeing any response from these particular sites its standard operating procedure.

If you really want to see connection refused for yourself try
telnet route-server.cerf.net 587

That wasn't so hard; now everyone knows what you are saying instead of having to guess.

I do see the "Connection refused" reply on my OpenSuSE box for both port 25 and port 587 telnet sessions to that server (but I also still see the "Connect failed" reply from a Windows telnet session). However, I don't have a port 25 block on my Comcast connection, and I can't establish a port 25 telnet session to that server either. If that is indeed the mail server that you have been using all along with port 25, it may not be entirely Comcast that was causing your problem.

Here is a sample command session showing my results at attempting to connect to that server on port 25 (and a sanity check on another AT&T mail server using port 25):


webhost:/ # telnet route-server.cerf.net 25
Trying 12.129.193.235...
telnet: connect to address 12.129.193.235: Connection refused
 
webhost:/ # whois 12.129.193.235
#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 12.129.193.235"
#
# Use "?" to get help.
#
 
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=12.129.193.235?showDetails=true&showARIN=false&ext=netref2
#
 
CERFnet ATTENS-LAX1-1 (NET-12-129-192-0-1) 12.129.192.0 - 12.129.255.255
AT&T Services, Inc. ATT (NET-12-0-0-0-1) 12.0.0.0 - 12.255.255.255
 
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
 
webhost:/ # traceroute-lbl -I route-server.cerf.net
traceroute-lbl to route-server.cerf.net (12.129.193.235), 30 hops max, 38 byte packets
 1  gw1 (192.168.9.254)  0.498 ms  0.402 ms  0.211 ms
 2  107.3.232.1 (107.3.232.1)  32.276 ms  23.937 ms  19.099 ms
 3  xe-4-0-0-32767-sur02.murfreesboro.tn.nash.comcast.net (68.85.50.129)  8.167 ms  8.114 ms  12.274 ms
 4  xe-0-0-9-0-ar01.goodslettvll.tn.nash.comcast.net (68.86.176.105)  12.128 ms  12.955 ms  11.018 ms
 5  pos-5-5-0-0-cr01.56marietta.ga.ibone.comcast.net (68.86.90.101)  20.134 ms  23.322 ms  23.951 ms
 6  pos-0-11-0-0-pe01.56marietta.ga.ibone.comcast.net (68.86.88.186)  20.793 ms  20.528 ms  24.497 ms
 7  as7018-pe01.56marietta.ga.ibone.comcast.net (75.149.228.86)  20.832 ms  23.706 ms  19.673 ms
 8  cr1.attga.ip.att.net (12.122.141.182)  71.489 ms  74.229 ms  73.368 ms
 9  cr2.dlstx.ip.att.net (12.122.28.174)  71.648 ms  71.379 ms  70.723 ms
10  cr2.la2ca.ip.att.net (12.122.28.178)  70.593 ms  72.276 ms  71.962 ms
11  gar29.la2ca.ip.att.net (12.122.129.241)  69.163 ms  68.652 ms  69.106 ms
12  12-122-254-238.attens.net (12.122.254.238)  70.305 ms 12.122.251.190 (12.122.251.190)  69.977 ms 12-122-254-234.atte
ns.net (12.122.254.234)  69.009 ms
13  mdf001c7613r0003-gig-12-1.lax1.attens.net (12.129.193.254)  68.893 ms  70.183 ms  68.519 ms
14  route-server.cerf.net (12.129.193.235)  69.908 ms  69.663 ms  69.290 ms
 
webhost:/ # telnet outbound.att.net 25
Trying 68.142.198.51...
Connected to outbound.att.net.
Escape character is '^]'.
220 smtp107.sbc.mail.mud.yahoo.com ESMTP
quit
221 Service Closing transmission
Connection closed by foreign host.
 


I want to thank you for this post. When doing the above test, I also tried from my new U-verse backup connection (since the server does appear to be hosted on AT&T's network) and found that that AT&T was blocking port 25 outbound (even to AT&T servers). That is a business class connection and port 25 should not be blocked (and it wasn't blocked on the DSL circuit that it recently replaced), so I will need to look into that with AT&T support.

--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.