 NormanSPremium,MVM
join:2001-02-14
San Jose, CA
kudos:9
 ·SONIC.NET
·Pacific Bell - SBC
| reply to pclover
Re: Comcast decides to block port 25 IN and OUT with no notice. said by pclover:Comcast in my area decided to block port 25 IN and OUT so my SMTP would stop working without notice.
Without notice? From other sources it appears that Comcast gave as much notice as SBC did when they implemented their port 25 embargo in 2002; I still have that e-mail announcement.
My current ISP blocks port 25 in both directions on DHCP accounts. They offer static IP accounts with no port 25 block. As others have suggested, a Comcast business account will give you port 25 access.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
 JohnInSJPremium
join:2003-09-22
San Jose, CA
 ·PHONE POWER
 ·Comcast
| reply to pclover
said by pclover:said by JohnInSJ:said by pclover:All email to email server communicates over port 25 AFIK for SMTP.
And if you are running a server, you're using comcast business class with a static IP, and your port 25 is not blocked. Why is it assumed that I am running a server? I need to to test to make sure an email server is working correctly! You do? What kind of test are you running? Are you polling port 25 of an SMTP server? Is it your server? Why do you think repeated failed interactions with an SMTP server wouldn't get your IP banned at that server?
--
My place : »www.schettino.us |
|
NormanSPremium,MVM
join:2001-02-14
San Jose, CA
kudos:9 Reviews:
·SONIC.NET
·Pacific Bell - SBC
| said by JohnInSJ:You do? What kind of test are you running? Are you polling port 25 of an SMTP server? Is it your server? Why do you think repeated failed interactions with an SMTP server wouldn't get your IP banned at that server?
Why do you think testing will result in failure? Here is a test (from a residential connection, no less):
C:\util\dig>telnet mx1.comcast.net 25
Connecting To mx1.comcast.net...
220 imta09.westchester.pa.mail.comcast.net comcast ESMTP server ready
quit
221 2.0.0 imta09.westchester.pa.mail.comcast.net comcast closing connection
Connection to host lost.
Does that qualify as a failure?
FWIW, the source IP address is not in a DUL. The generic form of the rDNS is: 173-228-7-21x.dsl.static.sonic.net, which Sonic.net will not submit to any DUL for obvious reasons. But my specific IP address will respond with, 'mxa.mydomain.tld'.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
 pclover
join:2008-08-02
Santa Cruz, CA
·Comcast
| said by NormanS:said by JohnInSJ:You do? What kind of test are you running? Are you polling port 25 of an SMTP server? Is it your server? Why do you think repeated failed interactions with an SMTP server wouldn't get your IP banned at that server?
Why do you think testing will result in failure? Here is a test (from a residential connection, no less): C:\util\dig>telnet mx1.comcast.net 25
Connecting To mx1.comcast.net...
220 imta09.westchester.pa.mail.comcast.net comcast ESMTP server ready
quit
221 2.0.0 imta09.westchester.pa.mail.comcast.net comcast closing connection
Connection to host lost.
Does that qualify as a failure? FWIW, the source IP address is not in a DUL. The generic form of the rDNS is: 173-228-7-21x.dsl.static.sonic.net, which Sonic.net will not submit to any DUL for obvious reasons. But my specific IP address will respond with, 'mxa.mydomain.tld'. This points out that mail.comcast.net is responding to port 25.
This is what I need!
I need to verify on new servers that Port 25 can be accessed outside of the local network.
Does me no good to use an alternate port as email servers communicate with other emails servers over port 25 and if that's not working SMTP will fail and the mail queue will start building.
I was quoted around 94$ a month for business phone and internet. Free install with 2 year agreement. |
|
JohnInSJPremium
join:2003-09-22
San Jose, CA Reviews:
·PHONE POWER
·Comcast
| reply to NormanS
said by NormanS:Does that qualify as a failure?
Repeated probes with no response to handshake gets you banned from my email server, other admins may choose other patterns of malicious behavior to ban on.
And you not being able to reach an email server is (clearly) no indication of the health of the server. Why do you feel the need to do this from a residential account?
--
My place : »www.schettino.us |
|
pclover
join:2008-08-02
Santa Cruz, CA Reviews:
·Comcast
| said by JohnInSJ:said by NormanS:Does that qualify as a failure?
Repeated probes with no response to handshake gets you banned from my email server, other admins may choose other patterns of malicious behavior to ban on. And you not being able to reach an email server is (clearly) no indication of the health of the server. Why do you feel the need to do this from a residential account? To test for firewall rules etc.
Yes, Some servers WILL do that however you do have to abuse it.
Also this thread is getting pointless. No more replies are needed. |
|
 jbobReach Out and Touch SomeonePremium
join:2004-04-26
Little Rock, AR | reply to pclover
Hmmmm...wonder if I missed the email? I have not noticed it here(the email notice) but just the same I quit using port 25 years ago. I even have port 25 blocked at my router to help prevent it's usage from unexpected spam bots. |
|
NormanSPremium,MVM
join:2001-02-14
San Jose, CA
kudos:9 Reviews:
·SONIC.NET
·Pacific Bell - SBC
1 edit | reply to pclover
said by pclover:said by NormanS:said by JohnInSJ:You do? What kind of test are you running? Are you polling port 25 of an SMTP server? Is it your server? Why do you think repeated failed interactions with an SMTP server wouldn't get your IP banned at that server?
Why do you think testing will result in failure? Here is a test (from a residential connection, no less): C:\util\dig>telnet mx1.comcast.net 25
Connecting To mx1.comcast.net...
220 imta09.westchester.pa.mail.comcast.net comcast ESMTP server ready
quit
221 2.0.0 imta09.westchester.pa.mail.comcast.net comcast closing connection
Connection to host lost.
This points out that mail.comcast.net is responding to port 25. No, sir; actually it does not. I was testing against an MX server to refute an argument about the response of an MX server. Nor is my result a failure. It is the wholly expected response of an SMTP server to the, "QUIT" command.
If I were to try the same to the Comcast message submission server, based on the Comcast pubs I would expect failure on port 25 (source IP address is not a Comcast IP address block) but success (to the "QUIT" command) on port 465.
C:\util\dig>telnet mail.comcast.net 25
Connecting To mail.comcast.net...Could not open connection to the host,
on port 25: Connect failed
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
NormanSPremium,MVM
join:2001-02-14
San Jose, CA
kudos:9 Reviews:
·SONIC.NET
·Pacific Bell - SBC
| reply to JohnInSJ
said by JohnInSJ:said by NormanS:Does that qualify as a failure?
Repeated probes with no response to handshake gets you banned from my email server, other admins may choose other patterns of malicious behavior to ban on. And you claim to run a server! Or is the SMTP "QUIT" command not a proper response to the handshake?
And you not being able to reach an email server is (clearly) no indication of the health of the server.
Why do you feel the need to do this from a residential account?
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
JohnInSJPremium
join:2003-09-22
San Jose, CA | didn't see the quit, thought he just disconnected - forgive me. Whatever, no port 25 on residential, that's the rule.
--
My place : »www.schettino.us |
|
|
|
NormanSPremium,MVM
join:2001-02-14
San Jose, CA
kudos:9 Reviews:
·SONIC.NET
·Pacific Bell - SBC
| said by JohnInSJ:didn't see the quit, thought he just disconnected - forgive me. Whatever, no port 25 on residential, that's the rule.
Whose rule? And how do you actually determine "residential"? I test for "DUL" on my server; "Dynamic User List".
Do you see the difference?
173-228-99-1x.dsl.dynamic.sonic.net
173-228-7-21x.dsl.static.sonic.net
The first is not allowed to run servers; indeed, port 25 will be blocked both directions.
The second is allowed to run servers, with port 25 access not blocked.
Upon receiving my static IP address assignment, I used the control to set my rDNS to 'mxa.mydomain.tld'.
So how should this work on my end?
Your MX: "Banner"
My MX: "EHLO mxa.mydomain.tld"
Your MX: "Pleased to meet you, mxa.mydomain.tld"
My MX: "MAIL FROM norman@mydomain.tld"
Your MX: "norman@mydomain.tld OK, SEND RCPTS"
My MX: "RCPT TO: you@yourdomain.tld"
And so on; why should you have a problem with that?
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
 NetFixerFrom my cold dead handsPremium
join:2004-06-24
The Boro
·Comcast Business..
·Vonage
 ·Cingular Wireless
·Comcast
| reply to NormanS
said by NormanS:No, sir; actually it does not. I was testing against an MX server to refute an argument about the response of an MX server. Nor is my result a failure. It is the wholly expected response of an SMTP server to the, "QUIT" command.
If I were to try the same to the Comcast message submission server, based on the Comcast pubs I would expect failure on port 25 (source IP address is not a Comcast IP address block) but success (to the "QUIT" command) on port 465.
C:\util\dig>telnet mail.comcast.net 25
Connecting To mail.comcast.net...Could not open connection to the host,
on port 25: Connect failed
Actually using port 25 or port 587 to mail.comcast.net is doomed even from a Comcast IP address:
webhost:/ # telnet mail.comcast.net 25
Trying 2001:558:fe2d:70::33...
telnet: connect to address 2001:558:fe2d:70::33: Permission denied
Trying 2001:558:fe14:70::33...
telnet: connect to address 2001:558:fe14:70::33: Permission denied
Trying 76.96.40.158...
^C
webhost:/ # telnet mail.comcast.net 587
Trying 2001:558:fe2d:70::33...
telnet: connect to address 2001:558:fe2d:70::33: Permission denied
Trying 2001:558:fe14:70::33...
telnet: connect to address 2001:558:fe14:70::33: Permission denied
Trying 76.96.40.158...
^C
If you want to access the Comcast residential mail submission server, you have to use smtp.comcast.net (and that doesn't work on port 25 any more even if you are doing it from a Comcast IP address on a Comcast Business Class account):
webhost:/ # telnet smtp.comcast.net 25
Trying 2001:558:fe14:70::30...
Connected to smtp.comcast.net.
Escape character is '^]'.
554 omta20.westchester.pa.mail.comcast.net comcast Port 25 not allowed - http://customer.comcast.com/help-and-support/in
ternet/email-client-programs-with-xfinity-email/
Connection closed by foreign host.
webhost:/ # telnet smtp.comcast.net 587
Trying 2001:558:fe14:70::30...
Connected to smtp.comcast.net.
Escape character is '^]'.
220 omta10.westchester.pa.mail.comcast.net comcast ESMTP server ready
quit
221 2.0.0 omta10.westchester.pa.mail.comcast.net comcast closing connection
Connection closed by foreign host.
OTOH, the Comcast Business Class mail submission server is still accessible using port 25:
webhost:/ # telnet smtp.po1.comcast.net 25
Trying 76.96.107.76...
Connected to smtp.po1.comcast.net.
Escape character is '^]'.
220 businessclass.comcast.net ESMTP mail service ready
quit
221 businessclass.comcast.net closing connection
Connection closed by foreign host.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.
When governments fear people, there is liberty. When the people fear the government, there is tyranny. |
|
JohnInSJPremium
join:2003-09-22
San Jose, CA Reviews:
·PHONE POWER
·Comcast
| reply to NormanS
said by NormanS:said by JohnInSJ:didn't see the quit, thought he just disconnected - forgive me. Whatever, no port 25 on residential, that's the rule.
Whose rule? And how do you actually determine "residential"? I test for "DUL" on my server; "Dynamic User List". Comcast's rule, per the post title, is that they will block port 25 on residential accounts.
Am I in the wrong thread?
I frankly don't care at all, I am on business class with static IPs because the features and access I require are available with that service.
--
My place : »www.schettino.us |
|
 japPremium
join:2003-08-10
038xx | reply to pclover
said by pclover:All email to email server communicates over port 25 AFIK for SMTP. It's the historically agreed upon default, yes, with 26 & 587 being widely observed alternates. I've been running my outbound mail through pobox.com's SMPT service since the late 1990s on 587.
Seems a lame faux-security move for Comcast to block a few single ports just because their the supposed registered port for some given function. |
|
 graysonfPremium,MVM
join:1999-07-16
Fort Lauderdale, FL | said by jap:Seems a lame faux-security move for Comcast to block 25.
It's not about security. It's about preventing direct MX which has been historically abused by spam bots running on compromised machines. |
|
NormanSPremium,MVM
join:2001-02-14
San Jose, CA
kudos:9 Reviews:
·SONIC.NET
·Pacific Bell - SBC
| reply to JohnInSJ
said by JohnInSJ:Comcast's rule, per the post title, is that they will block port 25 on residential accounts.
Am I in the wrong thread?
No, but I was sucked away from the OPs concerns by my own obstinacy.
OP wants to test an off-Comcast network SMTP server, and definitely should get a business-class account for that purpose.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
NormanSPremium,MVM
join:2001-02-14
San Jose, CA
kudos:9 Reviews:
·SONIC.NET
·Pacific Bell - SBC
| reply to jap
said by jap:Seems a lame faux-security move for Comcast to block a few single ports just because their the supposed registered port for some given function.
It isn't lame; it is quite effective. From my own SMTP logs, back in 2002 (when SBC implemented port 25 blocking), I saw SBC drop from being the single, largest U.S. source of spam attempts to my accounts to near dead last.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
NetFixerFrom my cold dead handsPremium
join:2004-06-24
The Boro Reviews:
·Comcast Business..
·Vonage
·Cingular Wireless
·Comcast
| reply to jap
said by jap:said by pclover:All email to email server communicates over port 25 AFIK for SMTP. It's the historically agreed upon default, yes, with 26 & 587 being long established alternates. I've been running my outbound mail through pobox.com's SMPT service since the late 1990s on 587. Seems a lame faux-security move for Comcast to block 25. You are confusing SMTP with Mail Submission; there is a big difference. SMTP always uses port 25, and no authentication is required. A properly configured mail submission server (which can use port 26, 587, 1025, or whatever port the server is setup for) on the other hand "should" require authentication. It is is the unauthenticated SMTP traffic that is the target for Comcast's port 25 block; a few improperly configured mail submission servers (that only allow the use of port 25) are simply collateral damage.
It is no more a "lame faux-security move" than the act of locking your doors, windows, and fence gates.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.
When governments fear people, there is liberty. When the people fear the government, there is tyranny. |
|
JJVPremium
join:2001-04-25
Seattle, WA | reply to pclover
I received this warning Jan 8.
My security cameras were using port 25 to send motion detected pictures.
Dear Valued XFINITY® Internet Customer,
We care about your email security when using our network. On August 1, Comcast announced that for security reasons we will no longer support the use of port 25 for sending email from programs like Outlook or Apple Mail. It appears that your computer is using port 25 to send email. A port is a connection through which information flows from a program on your computer, from another computer in a network, or to your computer from the Internet, Port 25 is an unsecured port, and it is increasingly used to send spam emails through malicious computer programs called malware. These spam emails are usually sent by computers that have been infected by viruses, and as a result, most users are unaware that their computers are sending spam. By no longer supporting port 25 to send e-mail, this will help prevent your computer from sending spam without your knowledge. |
|
japPremium
join:2003-08-10
038xx
1 edit | reply to NetFixer
said by NetFixer:You are confusing SMTP with Mail Submission... Thank you for the explanation. It makes sense: submit to SMTP server on port xxx (commonly 25, 26, or 587) but SMTP serves into formal mail system always on 25.
Now if in 1990 we had made it globally legal to publicly execute spammers and the CEOs of the corps they worked for we would have saved billion$, countless hours of hell, and all just email each other directly. Ah well. |
|
