Solved

Unblocking SMTP

Posted on 2004-04-21
12
250 Views
Last Modified: 2010-04-08
Our ISP currently has port 25 blocked. They say we cannot open it because the local port is a random one. How can we allow outgoing emails on our servers, while not requiring the opening of a large number of ports? This is a Cisco PIX515
0
Comment
Question by:dcman99
  • 2
  • 2
  • 2
  • +4
12 Comments
 
LVL 23

Accepted Solution

by:
Tim Holman earned 250 total points
Comment Utility
Sounds like complete and utter bull to me !
Instructions how to setup an internal mail server so that it can send and receive mail via the PIX are here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094466.shtml

Local server port is NOT random - it will always be port 25 talking to port 25 on another mail server, followed by renegotiations on higher ports that are covered by the state table.  
I would advise 'no fixup smtp' on this PIX, as this is well known to cause issues with Exchange.
0
 
LVL 13

Assisted Solution

by:td_miles
td_miles earned 250 total points
Comment Utility
I need to correct tim on one thing, the source port on the sending server will NOT be port 25. It will be a random high port. The destination port on the receiving server will always be port 25.

Other than that, everything else is correct and his advice on what to do is good.

"fixup smtp" doesn't just break Exchange, it causes problems with Lotus Domino as well. I just turn it off all the time now to save any problems. Does anyone have a situation where they are using it and find it helpful ?

The ISP sounds like the don't know what they are talking about...
0
 
LVL 4

Expert Comment

by:hawgpig
Comment Utility
I'm not an e-mail expert by far, but correct me if I am wrong....doesn't mail go out on a pop3 port 110? I know incoming mail comes in on port 25, but I allways thought that outgoing was port 110....guess i need to read up on my exchange....

FYI, The pix uses the fixup protocol to "Inspect" traffic coming in on port 25 to see if it is actual e-mail, if it is not it shuts down the connection. Since, exchange uses ESMTP instead of SMTP the pix has a hard time distinquishing traffic. That is why we turn off the smtp fixup protocol if we are using EXCHANGE, etc. If the server on the inside is runing regular SMTP....keep the fixup protocol turned on....it will prevent e-mail specific attacks.....
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Agree with td that your ISP is blowing smoke up your a...
Why would an ISP purposely block SMTP for a business-class service? If it is not a business service but rather a consumer priced service, then they have every right to block outbound email as well as inbound email to servers. What's in your service agreement?
I would definately fire that ISP and get service elsewhere.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Hawpig - from a mail server perspective incoming mail hits SMTP port 25.  Outgoing mail talks to SMTP port 25 on mail servers out in the wild.
From a client perspective, users can retrieve POP3 email by talking to a server running POP3 on port 110.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:dcman99
Comment Utility
I just wanted to make a clarification on my original question.  The reason our host says they can not open the mail ports is because they have filters set up to prevent the ongoing DoS attacks that hit our servers.  These filters I guess block the mail ports that we need to use to use the PHP mail function.  Here is the email from our web host:

---
If we go ahead and unblock ports, the DOS will resume.  They are still
attacking your servers.

If you would like us to remove the filters so you can mail and use your
PHP functions, please let me know.  That being said, once the filters are
removed, your servers will have to handle the DOS attack.
---

My question is... Is there a way to unblock these mail ports, without leaving them venerable to the DoS attacks?  Is there any way to just unblock the outgoing traffic through these mail ports, but keep the incoming DoS traffic blocked?  It just doesn't sound right that our mail functions have to be rendered useless to block the DoS attacks.  Any suggestions?

Thanks
0
 
LVL 4

Expert Comment

by:hawgpig
Comment Utility
Sure,
Just block the IP addresses doing the attack....Why would they filter port 25 and not block the attacking IPs???? Is your server updated?? is exchange updated??? are all critical updates complete?? Man that makes no sense. Is there hundreds of IP addresses attacking your mail server....if it is only 10 or 20 block those addresses at your boarder router and reopen port 25.....
What type of DoS attack was you getting???
0
 

Author Comment

by:dcman99
Comment Utility
The DoS attack is from many random spoofed IPs.
0
 
LVL 11

Expert Comment

by:PennGwyn
Comment Utility
Many ISPs block outbound port 25 to force their customers to use the ISP's SMTP server.  This makes it very hard for clients to send out spam and email viruses, and is a Good Thing -- for residential-class service.  If you have business-class service, your email server should be an exception to this rule; failing that, set your email server to relay all outbound traffic (except for your own domain) via the ISP's server, and move on.

0
 
LVL 20

Expert Comment

by:What90
Comment Utility
dcman99,

Who's the ISP?
Over in the Exchange forums a number of folks have been told they're on a "business" network, usually  xDSL and have found out that port 25 traffic is block unless they used the ISP as a smart relay. They get very upset if you try to find away around them and may even terminate your connection, as breack of contract.

Basically these are not business class ISP's, they are home user ISP's and suffer from script kiddies and poor user knowledge which floods their networks.

As already mentioned, if this is the case, swap to another ISP.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now