Comcast inbound mail broken to Exchange 2007 on Windows SBS 2008 behind Cisco ASA5505

After nearly 2 years of uninterrupted service, email stopped flowing in or out of our Exchange Server 2007 which sits on a Comcast cable connection behind a Cisco ASA5505. I started digging and reading, especially here, and decided to try switching the send connector to port 587. Outbound mail started flowing.

However, after testing open port connectivity, firewall settings, and server settings for 2 days, I have concluded inbound mail on port 25 is not going to happen. I have called Comcast 3 times and they tell me (a) there is nothing blocked, (b) their security might stop traffic on port 25, (c) incoming mail should be on port 110 (POP!?!?!).

I need some sane advice on how to approach this. The port checker doesn't even see port 25 activity if I pull the ASA5505 off the network and go through a puny linksys router (wrt54g) or just have a PC plugged straight into the cable modem. Many other common ports are reported as blocked when I try to test them as well, so I'm floundering at this point.

Shannon MollenhauerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

try telnet to port 25 from outside using telnet from the command prompt:
telnet 25
telnet 587

You can test it internally as well, just use your server IP or local DNS name...
The problem is that when you have a single problem - mail flow, You've then compounded the problem by changing the ports your server listens on for email.

Port 587 is used almost exclusively for for clients to connect to the server for sending email. Server-to-server communication is done on port 25.  Usually, you'd create two receive connectors, one that listens on 25, the other listening on 587.

So, once you can telnet to your server locally on port 25, then do it from outside your firewall, plugged into one of the ports on your cable modem.  If you can do it from the modem itself, try it from somehwere else on the internet... or post the mailserver url here and I'll let you know if I can access it remotely.

What were the troubleshooting steps that you took that led you to the conclusion that mail flow was being stopped by the Comcast connection?
Shannon MollenhauerAuthor Commented:
I can telnet to the mail server on 25 and always have. Telnetting from the outside is not easy because we have DHCP and use DYNDNS to keep our IP up to date. Maybe something is out of whack with the MX records.

I will attach my ASA acl also, so you can see if my filters and forwards are right. Maybe I've messed that up in all this troubleshooting too.

When I disconnected everything from the cable modem and just plugged a laptop into it, I still couldn't get open port checker to confirm port 25 open. This along with the other tests of no firewall, just router led me to believe it is Comcast.

Our domain is The current ip is

I only created a 587 send connector and did not change the receive connector. Then I started adding more on both send and receive to try to resolve this issue. I had to check Basic Authentication on the send smart host connector but didn't think that was used on the inbound receiver.

I'm wondering if inbound authentication settings are wrong. We just have it set to Basic.
Cliff GaliherCommented:
If you are using DynDNS and Comcast is saying their security may be blocking port 25, that tells me you are using a residential account for business purposes. Besides being against Comcast's service agreement, which you signed when you spsigned up for service. comcast and others (cox,charter, etc) have indeed been blocking server ports on their residential accounts to prevent exactly this kind of misuse. Be happy thatisallthey are doing.technically they ca disconnect your service altogether or even sue you for the difference in cost between their residential and business cost for months going back, all u dee the breach of contract clauses do their service agreement.

The legal, easy, and safe solution is easy (and by Experts Exchanges terms of use policies, illegal methods cannot be discussed); upgrade to a business class service. You will get a static IP and they don't block port 25.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

<<<<<Here are my results>>>>>
C:>telnet 587
421 4.3.2 Service not available, closing transmission channel

Connection to host lost.

C:\>telnet 25
Connecting To not open connection to the host, on port 25: Connect failed

So, I can hit your server on port 587 - however,  your server is not configured properly to receive mail on that port.
Port 25 does not appear to be open to your host.  If you are indeed using a residential account for business purposes then you need to make some changes to your hosting agreement... If it is a business account, then I would get a static IP because perhaps Comcast is filtering port 25 for Dynamic assigned addresses.

Your MX record looks good.
<<<<<MX>>>>>    MX preference = 10, mail exchanger =     internet address =
Shannon MollenhauerAuthor Commented:
We are waiting for comcast to install business class service to see if it solves the problem. Tech support continues to claim they are not blocking any ports.
Seems like overkill if the issue is the server or the firewall.
Shannon MollenhauerAuthor Commented:
Comcast screwed up our order and gave us a dynamic IP so I can't finish restoring our mail routing to the in-house server until sometime next week (I hope they get it right by then).

Since we are running a Windows SBS 2008 box in a home office, and are adding more applications that will be hosted in-house for our field staff to access, paying for static IP and business-class SLA is not overkill and does not risk violating the terms of service.

I will test the port 25 settings with and without a firewall in place as soon as I get static IP and am ready to restore local mail services. For now I'm using Google hosting (thankfully I had that configured but not activated a while back "just in case" something like this came up). I'll update results and assign solution points ASAP.
Shannon MollenhauerAuthor Commented:
It was definitely Comcast. The business class service with a gateway works just fine. The only thing I have to deal with now is configuring port forwarding at the gateway to my firewall. Before the conversion, no amount of port configuration would work. Points go to the contributor who recognized it was not getting to my CPE due to ISP filtering.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.