Local DSL's block outgoing to mail.mydomain.com?


#1

Hi;

Working with some of my domain email users it has become clear that SBC and perhaps other residential DSL providers (Earthlink?) block outgoing traffic from folks’ homes to mail servers other than servers on their own networks. (NOTE: I have tested the same domains using biz class DSL and up and mail.mydomain.com works fine.)

Are other folks’ experiences similar?

The workaround is simply to use the SMTP servers provided by the DSL company, but I think it makes folks nervous NOT to be able to use mail.mydomain.com as thier outgoing SMTP server. Maybe its just a control issue and there’s no real technical benefit to using mail.mydomain.com?

Any thoughts?

TIA;

ByOsmosis


#2

DreamHost offers an alternative SMTP port, 587 which allows you to bypass those blocks.

digitalrundown.com
Promo Code: WJD97 - $97.00 off any new DreamHost plan (except month-month payments).


#3

Very slick. Are there any known problems or limitations with this approach?

Thanks again,

ByOsmosis


#4

None at all, using port 587 is functionally identical to using the default SMTP port, 25.

Port 25 blocking is a spam-prevention measure, by the way; one that most large consumer-level ISPs use for dialup, cable, and DSL accounts, usually those with dynamic IP addresses.


If you want useful replies, ask smart questions.


#5

changeing the port number just changes the layer 4 address of the IP, so its nothing differnt, as long as both sides can handle it, AKA the server is set to listen on port N the client can also use port N to connecy, no problem other than if your ISP blocks certain ports, which they seem too


#6

FYI I always have to remind myself why port 587 works and why its not blocked as well - after all it seems like a crazy workaround right, did SBC etc. just forget to block it to?

Well no, when a mail server is trying to deliver mail to your final address it will usually contact the mail server(s) listed for your domain (in the DNS MX record) using port 25 using the ole SMTP protocol. SMTP mail servers typically accept incoming for their domain from remote agent without any authentication - that’s how its supposed to work. Although with the advent of spammers they often restrict agents connecting to them via RBLs - realtime black hole lists - that tell them the IPs of machines that are compromised, untrustworthy or used by known spammers.

However when you, as a user contact a mail server you are not (typically) delivering it to the final destination domain. - your server will do that for you, or at least get the process on the way. To conect to a mail server to do this usually requires an account with a specific server - username and password - or to be attached to it physically (via a DSL line say) or logically (via a VPN). Any server that doesn’t implement such restrictions is likely to be categorized as an “open relay” and will quickly get itself banned from delivering email via the RBLs that are widely used.

So - port 587 works because unlike port 25 it is not the port connected to for the final step of delivering email to a domain. Port 587 will be used for initiating mail transfer and the mail server will require authenticated login before it will even talk to you. After that it assumes you are a trustworthy known user, with legitimate access to deliver mail locally to that domain(s) the server represents, or remotely to somewhere else.

Hence, if your machine is compromised by spam bots, viruses, spyware etc. unless it knows your mail account passwords it is not going to be able to randomly connect to email servers on port 587 and deliver spam to them which it could on port 25 if it wasn’t blocked. Of course it is possible the malicious software has found your password - especially if it installs a keyboard logger or decrypts your Outlook settings) but this is so far MUCH less common than the machine being compromised by a dumb spam bot in the first place.

Finally (hopefully all this is useful to someone - hey I just like to type!) if a spammer knows a user/pass for a mail server it is likely they will be able to reach it from your machine on port 587. In this case they can still take over your home machine, circumvent port 25 blocking to send spam via that server on port 587 and effectively use it as a relay. However the volume of email/traffic typically generated by spammers would hopefully quickly get them shut down. One can only wonder just how many compromised mail server accounts there are out there for use in this way.

And the obligatory discount coupon/code:

TECHTIMEMAX - for the maximum discount on DreamHost accounts - in most cases $97 off. You can’t get better than that!