Slashdot Mirror
Ask Slashdot: Is There a War Against Small Mail Servers?
softegg writes "My company hosts our own mail server. We have high-speed business connections through Verizon and Comcast. Recently, Verizon and Comcast have been blocking port 25, causing our private mail server to stop functioning. Additionally, a lot of ISPs just started blocking any mail coming from any IP in the address block of cable modems. This caused us to start laundering our mail through a third-party service called DNSExit. Now, McAfee's MAPS anti-spam system tells us they are blocking DNSExit for spam. Essentially, we are finding ourselves increasingly cut off from sending any outgoing mail. What is a small company supposed to do if you want to host your own mail?"
Most ISPs block outgoing port 25 because 99.99% of that traffic is viruses or otherwise malicious computers trying to send spam. Even more mail services block all dynamic pools used by major ISPs because of the same reason.
Just invest a few bucks a month into a cheap hosted VPS behind a static IP where you can run the server.
I'm sorry, I only accept criticism in the form of sed expressions.
Switch the port to something ambiguous. It would cost nothing more than a company-wide e-mail to change your outlook e-mail settings. If they use exchange, simply change the exchange settings for everyone.
Nothing your going to do about it, thankfully, outsourcing mail is very cheap and more secure then running your own. Especially the bandwidth saved by not having spam enter your office.
If your ISP (Verizon and Comcast) are blocking port 25 outbound it doesn't sound like they think you have a "Business" connection. Check your contract/TOS for any provisions that would prevent you from running a server (common for residential cable connections but not for business) and if there isn't one call and complain. If they won't unblock port 25 for your mail server (assuming it's properly configured) you need to find a new ISP.
Comcast's idea of the Internet is an increasingly detached 'consumer endpoint' version of the Internet. If you're not in a rural area, then find a true Internet provider and move on.
You have options. Rent a small server in a co-lo just for mail OR get a Business Internet Connection, as those don't block mail, at least none that I have dealt with. I've had Bright House(Time Warner) Business AND Verizon FIOS Business with a static IP, both allow port 25 out and let me configure the reverse DNS for my IP address.
You should then be all clear.
~Matt
I haven't had this issue with Comcast Business (static IP). Port 25 works just fine. But, some recipients don't like us.
If you want news from today, you have to come back tomorrow.
And make sure they know you want port 25 open, and otherwise be reliable. The number of spam-bots on cable modems is rather high, and there's no surprise that you get blocked. It's like how businesses don't take money over a 20. The risk is not worth the reward.
You can get a hosted (maybe only virtual) server at RackSpace & friends. Let your mail server run there, which is anyway better in terms of fault-tolerant power supply and redundant network connections. Small companies usually don't operate a 24x7 data center, so you just get better in terms of reliability, and these IP addresses should not be black-listed anywhere.
Over here in Australia quite a few ISPs will have port blocking like this turned on but they do provide you the option to disable it. It can even be done online via their user control panel.
Have you spoken to your ISPs about this issue?
(\(\
(^.^)
(")")
*This is the cute bunny virus, please copy this into your sig so it can spread
1) You are more than likely breaking the ToS of your contract by using the connection for "business" purposes.
2) Switch to a Business plan. It will cost more... such is the cost of doing business.
CS
they only (so far as I know) block ports on residential accounts
you don't mention it, I suspect you are using a residential class account.
I have a comcast business account.. 2 actually.
pay for an account where the TOS allow servers... they won't block the port
before I had a 2nd commercial account, (at my home)
my biggest gripe was connections from my home to work
took too many hops to go 8 miles in very different ip ranges...
see if comcastbusiness.net is on the block lists you fear..
every day http://en.wikipedia.org/wiki/Special:Random
Just use google business apps for your mail. Hosting it yourself is a huge headache.
Usually when ISPs block port 25 (ostensibly because of all the botnets sending spam, a wise precaution that I advocate) they will provide a mail relay for their customers to connect to. They might not advertise it as that, but if your ISP (still?) provides a POP3 mail service, then they're going to give you an SMTP one too. Failing that, why not put a relay on any server you have in a datacenter or colocated? Configure it so only your computers can relay though it and it'll be fine.
this seems more like a casualty of war with spammers.
I came to the datacenter drunk with a fake ID, don't you want to be just like me?
I've run my own mailserver for over a decade. It's IP has changed every few years if I switch ISPs, but otherwise it remains stable. I have a static IP on a DSL line and have reverse mappings set up. I have SPF records. I've registered with a whitelist. I've done everything I can. And still nobody who uses hotmail gets email from me. And I have increasing difficulty getting email to anybody else.
And I do not believe a single spam message has ever made it out from my network. I even block outgoing port 25 for the network segment my roommates use (when I have roommates) unless I'm administrating their computers.
This whole trend is really upsetting to me, and totally broken. I never have a problem sending email to someone with a gmail.com address, and they have the best spam filtering of any email provider I've ever used. The shortcut of blocking any DSL IP is clearly unnecessary if Google can do such a good job without it.
Need a Python, C++, Unix, Linux develop
I had a customer (a small town government) recently have port 25 outbound blocked by Comcast. After going around with Comcast for a bit, it turned out that they were subscribed to a residential-class service, which has port 25 outbound blocked by an implacable policy. The only way to get the port unblocked in this case would have been to move them to a business-class service with a static IP. (Fortunately the block wasn't a big deal for them, we were just using it for automated status reporting rather than running an inhouse mailserver.)
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
I think it should be up to ISPs to block port 25 from their own client pool. That way, you can get whitelisted if you want to run your own mail server by your ISP. If all ISPs did this, it would be an obstacle for spam. Or if there were a registry of approved mail servers, so botnet zombies on cable pools cant easily dump thousands of spam messages per day. I think it is a step in the right direction, as long as your ISP is willing to open up port 25 to users upon request.
Seriously. It's not worth it. Google/Postini does it better than you can. Pay them to be the MX record for your domain, and let it handle all of the SMTP traffic, and then spit the non-spam mail to your on-site mail server. Much better.
Running your own internet-facing mail server these days is a colossal pain-in-the-ass. Let Google do it.
Are you getting business class service from your provider? Verizon, Comcat, TWC, Cox, etc all give unfiltered access to business customers. If you have business class service and are being filtered call your rep or open a ticket with support and tell them to fix it. Any ISP I have ever worked with will provide you with appropriate PTR records or delegate your netblock to you allowing you to run your own reverse DNS which in turn allows proper MX reverse DNS verification which in turn helps see mail accepted on the far end. Also using SPF and/or DKIM along with a properly configured mail server are all critical to avoiding problems with blacklists and other filtering mechanisms these days.
I have Comcast business class, but I used to have Comcast at my home and both setups just required a call to customer service to ask to unblock port 25 because you're hosting your mailserver there. They're usually pretty helpful about doing what you need done - I even had them put in a reverse DNS (ptr) record for my mailserver's IP addy because some mailservers do reverse lookups to see if the IP points to a/the hostname (try "nslookup -> set q=ptr -> ip.add.re.ss" to check it) for spam control.
It is pitch black. You are likely to be eaten by a grue.
Sounds like your company is extremely cheap & stupid for not just getting a real Internet connection. I don't blame companies for straight-up blocking any mail traffic originating from blocks of cable modem IPs...it's generally a source of illegitimate spam. Tell your boss to put down the money for a T1 to use for email. Route all other traffic through your cable connection.
are inappropriate for small businesses yet continue to grow in popularity due to their heavy marketing and low cost.
Contact your local bell, or find a t1/t3 reseller, and let them know you need a fractional leased line. the cost is higher, but you get a real service level agreement to which the provider is contractually obligated.
using a dedicated/shared server for email hosting has its drawbacks. the shared server may become overloaded by spammer accounts and other users, and its generally not a priority for most hosting companies as they get very little money off a shared hosting sale. dedicated hosting is just as bad because you're commonly forced through one relay host, or a set of relay hosts that routinely become overwhelmed by spammers on your providers other dedicated hosting boxes. the dedicated and shared boxes are also notorious for floating in and out of various blacklists and sender reputation services, so you can expect mail to break-down about once every few weeks.
Good people go to bed earlier.
Most mail server software is capable of routing the outbound mail through the isp's mail server in such a way that it gets listed as the origin. You get to keep running your mail server, but the spam labelling and port blocking issues all go away.
The only time this is an issue is if the isp's mail servers do some kind of filtering or mangling, but most of the ones I've dealt with don't
Get a VPS host, or lease a hardware host, or co-locate your equipment at a proper data center. This is karma for running NAT.
Best bet would be to use your ISP's SMTP server as a smarthost for your email server. I've had great success going this route when faced with similar obstacles as you.
Rent a dedicated server, or get your own co-location space. I have one that I pay $70 a month for with 1and1. I use 'em because I was able to install my own OS image on there, and they're generous with the bandwidth, although I'm not sure I'd run a company's e-mail server through them--the network connection can be flaky. About a year ago they went down after 5pm for an hour or so for a week or two due to a DDoS, then the last week they have been not accepting new connections (existing connections work fine) for periods of 1-3 hours during business hours. Seems to have cleared up now, and those are the only issues I can recall. Not sure if they have a multihomed network connection available for more money.
Of course, pretty much anything would be a step up from running it off a cable modem.
Anyway, rent a dedicated server, or get to a co-lo. 1U would be plenty, and shouldn't cost too much. Preferably one run by an ISP, as they have plenty of experience being on both sides of the spam issue and if you're on a nearby address space, a personal interest in keeping that address space off of spam lists.
<xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
Are you in the business of running mail servers? If not, then odds are that another company is better at running mail servers than you. They can probably do it more reliably than you, more securely than you, and in a more cost-effective way.
If you're being paid somewhere near market salary for a tech job in the US, then you've probably spent hundreds of dollars worth of man-hours addressing these issues already. Is it worth it?
Whats with the obsession with SMTP around here, move along its a dying technology and being replaced fastly by other means.
Gmail/Yahoo/etc.. rules all....
You can move your mail server to some other port. I use FuseMail and they use port 2500 for sending to get around this problem. You could also begin moving everyone to SSL encrypted mail over another port.(463 is often used). You probably should be sending your mail encrypted anyway since virtually every client now supports SSL encrypted email for SMTP, POP3, and for IMAP.
You should be able to run your own mail server.
Pragmatically... to get your mail out, either upgrade to leased lines with your own IP allocation, or subscribe to a reputable spam filtering service that offers outbound relay and filtering of spam, e.g. Postini.
The general idea is your 'outbound filtering' service will have a good reputation for mail deliverability, and they will be able to more accurately model your mail profile and recognize spam/malicious activity than any third party not beholden to you.
My dad's server is on Business Cable and Port 25 is not blocked and we have had no issues running our mail server on that connection.. Now one thing that we did do to aid in preventing us from being blocked is requesting our 5 IPs setup with reverse DNS entries to our domains instead of the Generic "ISP looking" ones that comcast assigns by default. You should contact Comcast and Verizon to set that up.
Also, make sure when you are testing if port 25 is "open" that you aren't yourself on an ISP that blocks 25 outbound. And make sure you setup port 587 (SMTP submission.. Authenticated SMTP) so that users can send mail from any ISP.
Hostmonster for $75 a year is a very good deal. Real tech support, excellent service. I'm a customer and obviously very happy.
I'm not anti-social, I'm anti-idiot.
I've been using Google Mail (separate from GMail) for a while now for my mail needs, and it's actually working out pretty well. Better uptime and performance than hosting the server myself, and it's generally just a lot easier. Then again, you have to ask yourself if you want Google to potentially be able to see your mail.
Screw the rules, I have green hair!
Even if you have a non-cable modem IP, it can be difficult to send (opt-in) business email from a small mail server. The reason is that spam filters at major email providers like Yahoo are turning to whitelisting, and you have to contact each major provider to avoid getting your email sent straight to the spam filter.
Since the implementations of spam filters at the server level seem to vary quite a bit, I tend to avoid sending particularly important single emails through my own small email server for fear they just end up in the spam folder of the recipient.
That said, in general I wouldn't trust a business-class cable modem connection to host an email server for business purposes. Virtualized servers are commonplace now and quite affordable (I pay $15/mo for mostly personal use). Set up the backup on your own connection.
"The universe seems neither benign nor hostile, merely indifferent." --Carl Sagan
Comcast and Verizon are reacting by shutting you down...you have to beg to get it restored from what I understand...
There is no good solution for most of us other than to just relay thru comcasts SMTP server.
Comcasts user networks are in the subscriber block lists of many RBLs however typically business class accounts are exempted from these lists.
For outgoing mail if you can't send directly your best bet is to configure your SMTP server to relay all messages thru comcast smtp.comcast.com which is less than ideal.
Comcast runs with aggressive dns timeouts and their mail system does not properly translate DNS timeout to a temporary condition.. This sometimes cause emails to valid destinations in distant countries with slower links to bounce.
I host my personal server with a Mosaic forum (Mosaic and Stained Glass.org) out of a CoLo in Florida. It's not the cheapest solution but I do get 100% access to the server to do what I want and a reasonable time on reboots when necessary.
Still, Microsoft will randomly block my mail for a month at a time with no recourse. I've attempted to contact them but they send me to a troubleshooting page which tells me I'm configured correctly but they still won't accept email. This wouldn't be too bad of a problem except that other ISPs use them to manage their e-mail. So I can't get any e-mail to Shaw.ca or AT&T in Canada. They don't even have a whitelist option for their users.
And there are a few smaller ISPs in the US that use anti spam blocking sites that don't have any way to let them know that I'm not spamming.
Most others though have contact information in their bounce and I've used it to check the various sites in the block list, then forward the results to the postmaster at the offended site. Then I get it opened up for the folks on the forum.
Heck, one ISP replied that I needed to get in touch with them and their Postmaster account won't accept further e-mail. I had to send them a note from my Yahoo account. Then they said it was a problem with my ISP and they should fix it. My ISP had no idea what they could do to fix it.
Even the company I work at, who uses MX-Logic can't receive e-mails from me because I'm not able to convince MX-Logic I'm not a spammer.
On the plus side, if I did want to spam Microsoft, they have a program where if I pay them, they'll open their servers up so I can send e-mail to their clients.
I'm not doing any real business on the server. I have my consulting website there but traffic is pretty much non-existent. The biggest impact is when the forum folk try to send the other folks e-mails (the PM notifications). I have a note in the Site Agreement to let folks know on shaw.ca, frontier, and the others that they might want to use a Yahoo e-mail to manage their forum account.
[John]
Shit better not happen!
The tough get carrier pidgeons.
Every time you call tech support, a little kitten dies.
CableOne has blocked outgoing mail for years. It's annoying to have to reconfigure your mail program every time you travel somewhere. And it hasn't stopped the flow of prescription drug e-mails and Nigerian-ish scam e-mails. Hell, if all of those e-mail from barristers in foreign countries telling me a long lost relative left me several million dollars were real, I could by that 30,000 acre ranch in western Wyoming...and a helicopter. And why is it always a seven-figure inheritance? Wouldn't more stupid people believe $20,000?
Get a VPS. You can get one for $20/month and set up a full e-mail server on it. You'll get better hardware and better connectivity than your own server. Your IP will be seen as coming from a data center, not a cable modem pool of addresses. You can also host your own website, and leave the server you have at your office for internal things only. For mail access, just set up IMAP and SMTP with TLS, with the latter on port 587 (known as the submission port) which is generally not blocked like 25 is.
Being that I setup SBS 2003 and SBS 2008 boxes, let me explain what you really need to make it work.
1. A business class ISP subscription. Along with this classification, you get a netblock of IP/s that (usually) wont be preemptively blacklisted by SORBS (I hate them).
2. Reverse DNS (PTR) record. Not having one is almost guaranteed to get your sent e-mails blocked. Getting one created is easy as pie if you subscribe to a business class ISP.
3. SPF record. They're many online wizards to help you create one. My favorite is from Microsoft.
4. DNS that will host TXT records. Needed for that SPF record you just created.
Once all completed, be sure you test out your handy work over at http://www.mxtoolbox.com/ Good luck.
Life is not for the lazy.
Depending on the amount of email you want/need to host, you could turn to a vps like Linode. I have a few small servers with them and their performance is great. There is a small cost associated with it but that is probably well worth it considering you are obviously posing potential important emails.
1) Get a static IP address for your mail server if you don't already have one. Many mail servers use DNSBL blacklists that distrust anyone with a Dynamic IP address.
2) Get your ISP to configure Reverse DNS for your mail server's IP address. Many mail servers reject mail because Reverse DNS isn't configured properly.
3) Make sure your server is set to not run as an open relay.
4) Have a proper abuse@ and postmaster@ e-mail addresses so e-mail providers who claim to have spam complaints against your domain can actually send them to you.
5) Setup an SPF record (openspf.org has a great wizard for this) for your domain. SPF records basically specify which mail servers are allowed to send mail from your domain. This will help cut down on spammers spoofing e-mail addresses at your domain and increases the odds of legit e-mail not being marked as spam.
Not all of these will guarentee delivery of any e-mail, but they can certainly improve the odds.
Poster....the answer to your question is simple....first off...purchase BUSINESS service from Comcast (or ATT)........do not use personal service which is what you are using and why you are being blocked....nothing against small business's but it is against business's trying to use the home service for business....or actually to keep spammers from abusing their network.
SO if you buy business service you can have your own MAIL server no problem...mine is running on a MAC Mini Server about 15feet behind me.
The problem your having is that your level of service and ToS prohibit you from running a mail server.....and they enforce this by only allowing you to send via their mail servers......
Sorry about it...but if you want to play.....you must pay. Plain and simple.
Unencrypted, open authentication SMTP on 25 is dangerous and can get you on a blacklist easily.
Use SMTP AUTH combined with SSL (465) and/or TLS (587)
Forward 25 port to SSL one - thats how we do it at company where I work. 25 port is blocked cause of spam.
What is a small company supposed to do if you want to host your own mail? Find a better ISP and, when you do, tell your existing ISP why you're leaving.
First question... do you have a residential or a business link? That usually changes the network preferences. As I recall most residential agreements prohibit running servers on the network to begin with.
1) Talk to your ISP and get the block removed.
2) Change registrars / DNS providers to EasyDNS. They do mail forwarding for customers. Don't bother if you send spam - they'll quickly shut you down.
3) Set up a VPS somewhere - Linode's are great. They all come with dedicated IP addresses.
4) Farm it out - let Google handle it for you.
-- "Never underestimate the power of human stupidity." - R.A.H.
1) If you're being blocked then you're hosting your mail server on IP space that Comcast and Verizon have designated as dynamic. Don't do that. Either get them to properly classify your block as non-dynamic _or_ make sure that you're really on non-dynamic space.
2) Ensure that you have proper reverse DNS configured for your server. If you have business class service, they should be completely understanding of your need to change PTR names for the IP's you use.
3) If you really are running on dynamic IP space and have no way around that (that's not painful to you), you always have the option of smarthosting your mail through the Comcast or Verizon mail servers. That's what they're there for.
Omeganon
Surrender and turn Amish!
I've run my own mail server since the .UUCP domain and comp.mail.maps. For a very long time now, we have not been accepting MUA->MTA mail on port 25. We have been using port 587 for MUA->MTA. MTA->MTA is port 25 and has been for a very long time. However, you don't try to connect to anyone else's port 25 from your cable or DSL modem unless you have setup some sort of non-home internet access and signed an AUP... Even then, chances are your cableco or telco will insist you relay through their mail server and I agree with their motives for doing so.
My mail server (a VPS on panix.com running postfix) has no trouble sending mail to anyone; including hotmail. I won't trust my cableco to relay my mail for me; ever.
Just one botnet'ed machine anywhere on your own network could have gotten you blacklisted.
hosting mail is a lot more complicated than you think. just don't do it. sign up for a commercial email provider that lets you back up mail in bulk and point your MX record to them.
Sorry, but both (*) the blocking of port 25 by Comcast Verizon et al and (*) the blocking of incoming mail from large cable providers' IP blocks are both old news.
I have been extremely happy using dyndns's SendLabs (formerly MailHop) SMTP for outgoing e-mail routing and SendLabs (formerly MailHop) Relay for incoming e-mail. My outgoing e-mail server uses MailHop as the smarthost, and they listen on port 2525 to avoid port blocking. MailHop is my MX record, and they spool my incoming e-mail and send it to port 2525, which my local mail server listens to.
The only caveat is that I had to switch to exim as my e-mail software, but if I remember correctly, they have setup instructions on the dyndns web site.
They are cheap, allow you full control over your RDNS, and will solve your problems.
"Computer games don't affect kids; I mean if Pac-Man affected us as kids, we'd all be running around in darkened rooms,
redirect all outgoing mail to your ISP SMTP server.
I have business class cable service and get preemptively blocked by an "anti spam" organization because it's IP address is on a cable block. There are better ways to prevent spam but it's profitable for ISP's so they don't care. Unless we start a class action lawsuit I doubt there's much that can be done about it.
-- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
Is the war begining? That's a stupid question. The've been firing shots for years. We have a client who just got the comcastic business connection (50mb/w 5 static's) and we cannot get anything to it via port 25. Nothing, nada. After 30 minutes on the phone they said that they aren't blocking it so we changed the port on the firewall to redirection port 26->25 (as a test and forwarded it that) and it worked. When we brought this to their attention they said, we don't know why it's not working but you shouldn't change ports. After a few calls, it magically started accepting email on port 25 (with us doing nothing to the firewall). We did however map some additional ports on the firewall just in case.
We have had this problem with DSL users in the past. Most of the time it's because of RDNS which is sometimes a pain to get the ISP to setup. I have had both good and bad luck with ATT doing this. Currently we have all of our clients just relaying through us via authenticated submisison (587) and we relay to them via 25 (normally unless their provider blocks it).
But to answer the original quesiton, these big companies don't seem to have any rules to play by so they pretty much do what they want.
Most residential providers block port 25. Part of it is they just don't want servers on residential connections but another part is spam prevention. 99.999% of home connections have no reason to run something on 25 and if they are, it just means their system is owned and spamming.
For servers, you need a business class line, which has no restrictions. I have a business class Cox cable line at home for that reason. Lets me have static IPs, no port blocking, more upstream, and no bandwidth limits. It does cost more, but it means I can do as I wish.
Assuming the domain in question is softegg.com, then reverse DNS is indeed not setup correctly, and it is no surprise that his email is getting blocked.
If you are too small to afford a VPS or dedicated box in a datacenter, you are effectively too small to be trusted with a mail server. It sucks, but frankly, for the sake of a $30 VPS, I have absolutely no pity for people trying to push mail off even a "business" cable/DSL line. Alternately, use the SMTP relay provided by your ISP, that's what it's for!
Spam is a very complicated affair, and every decent filter checks the sender's route against various lists. Simply being on a known cable/DSL address pool is enough to knock your score up a point, and if your forward and reverse DNS don't match well enough, that's another point. On my networks, that's only another 2 points away from the Junk folder, so I hope you don't have any malformed HTML or shortened URLs in the body. If you are sending important mail, that should be reason alone to pay for a properly homed mail server.
How much business are you losing, and how much time have you wasted, fussing with mail issues ? A mail box behind a SOHO connection is a hack at best.
-Billco, Fnarg.com
Co-locate a server in a data center, lease a server from a data center, get a business class internet account, etc etc. Here is one of several free Real time Block Lists (RBL) that block all email coming from residential ISP's: http://www.spamhaus.org/pbl/
Unless you have people breaking down your doors, shooting anyone who gets in their way and lobbing a grenade into your server room then no, there isn't a "war" against small email servers.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Works for me.
you had me at #!
Here I am, reading between the lines, again.
The laws that apply to government having access to ISPs, to access email records, are very different then the laws that apply to your own server. It is MUCH harder to get emails, legally, from you directly (or, more specifically, your server), primarily because you probably wouldn't just hand them over like ISPs do. Secondary is the fact that they often don't want us to KNOW we are being scrutinized and a subpoena pretty much blows that particular fish out of the water.
That being said, this is more then likely the application of pressure to move everyone to ISP-controlled servers and thus make it far easier for government to access your private emails, all in the name of "spam-prevention".
Think of the kids!
My ISP blocks port 25 and I'm glad they do because it stops botted machines from setting up spam servers. The point is that if I want port 25 opened, all I have to do is ask - Have you asked Verizon and Comcast to open the port?
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
What about those who send e-mails from their e-mail clients like Outlook? I send a lot of e-mails from my home PCs that use port 25 (SMTP) from Mozilla's SeaMonkey mail client. I don't like webmails.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Set your mail server to relay through your ISP. Most dynamic addresses are blocked via RBLs anyway. Unless your ISP provides reverse DNS of your address a good percentage of your mail will not be delivered. I've been doing this way before they started blocking the ports.
Have you tried an Outbound MailHop service such as the one from DynDNS? I am just looking into it for what I am attempting to set up, but it seems like a possibility.
I use a small local ISP. When my server got blocked because it was in a block of IPs normally assigned as dynamic, I called them, explained the situation, and they assigned me a fixed IP from another block.
Sure, I could save $20/month by using comcast, but I talk to a real engineer who sits at a desk 60 miles from me. What's more they actually understand what I'm talking about. When one of their routers took a dump, and I traced my failure to it, they took my traceroutes seriously and dispatched a crew.
YMMV but I get better service, support a local business, and I get the services I pay for.
Where tiers are possible in service, service is tiered. This is not new. This is good business. For residential-class service they charge X and they block the port. For business-class service they charge X + and they unblock the port. there's nothing 'unfair' here, the contract defined the tiers. You do not 'own' the network, nor the access to it. You have a contract for access to use the network, and you agreed to fine print in the contract. The fine print states that if you want to run a web server, or email server, you must purchase business-class service. move along now. there is no story here. It has been this way
cjacobs001
As long as you have a business associate agreement there is no problem outsourcing medical information. Hospitals and clinics routinely outsource everything up to and in including electronic medical record systems.
The guy who posted this should be fired for being stupid.
If this guy is facing port 25 blocking outbound, then he doesn't actually have business class service. The rest of us can get this from Comcast just fine -- I have had a Comcast business connection myself in the past, and I currently have one from RCN Cable, from where I run my tiny little mail server, which works perfectly fine, has a dedicated IP not in a dynamic address block, isn't listed on any "dynamic" blacklists, and sends a few thousand messages a day, successfully.
McAfee and MAPS are not the same company. MAPS is owned by Trend Micro, but who gives a shit. Get out of the way of this third party relay's fight with the blacklist operator.
The underlying issue here is that his sending IP seems to be listed on various "dynamic" DNSBLs. Either in error, or because he's actually on a dynamic connection. More likely the latter. It's true that some blacklist operators are total assholes and make it very hard to get off of their lists, but this guy is probably in a dynamic address block, probably isn't supposed to run a server, and is probably appropriately listed on things like the Spamhaus PBL.
I know probably fifty people off the top of my head who run their own little mail servers. There's no war on any of us, everything is working fine. The only problem here is that this guy is an incompetent administrator.
I've run my own mail and web servers from my home for years, so I was worried about this when I was making the switch from Time-Warner cable (who didn't care, BTW) to Verizon Fios. One person I know reported that Verizon did indeed block port 25 (and port 80) inbound, while another told me his setup worked fine, once he replaced the free router they gave him with his own router.
And indeed, after making the switch, I still am able to get mail inbound on port 25. The modem/router they gave me does have controls to adjust security settings, which look a lot like Windows trusted -vs- untrusted controls. But I can't really tell if they do much. The key thing I found was to set up port forwarding to send port 25 to the machine in my internal network with the mail server. Same for port 80 to the web server.
Outbound I route through the ISP. Postfix makes that easy. I found a few years ago that certain domains I sent to, though not all of them, started bouncing mail even though I had an SPF record, just because my IP address was in a range listed as "dynamic" (i.e. "residential"). Clearly that's for spam control. Not everybody does this, and I could send direct to those who do not, but it was simpler to just send everything out via port 587 to the ISP.
"Education is not the filling of a pail, but the lighting of a fire." -- William Butler Yeats
If the OP really does have a high speed "business" connection, then that connection should come with a static IP. That static IP should provide the foundation for a stable mail server. Other than the static IP, all you really need is a reverse DNS and a PTR record for your IP that matches the A record on the MX record for the domain.
I used to do consulting for the SMB market. I setup more local mail servers than you can shake a stick at. It is a simple and straight forward process. I have yet to see an ISP block port 25 on a business circuit. If that is what is happening in this case, you need to take it up with the ISP. They are not giving you what you are paying for. If they won't play ball, switch ISPs. There are enough of them out there.
You can have your own server hosted almost anywhere for 50$ a month. Second, use this to be able to do both port 25 (which is blocked) and reroute port 26 to port 25 in your ip chains pre-route rules. Then set your people in the office to use port 26 instead of 25. (I am using APF) you did say linux server right?
# place your custom routing rules below
$IPT -t mangle -A PREROUTING -p tcp --sport 443 -j TOS --set-tos 8
$IPT -t nat -I PREROUTING -p tcp --dport 26 \-j REDIRECT --to-port 25
The discussion here is depressing.
"Get a *real* ISP."
What if there isn't one available?
"Get a business account, not a residential one."
Residential accounts need to send and receive email too.
"Spend more money for some_feature/T1 line/whatever."
Not everyone has Warren Buffet's bank account.
"Use web mail."
Web mail SUCKS.
"Have google handle your email."
And read it and sell you out to everyone.
BTW, news flash for those of you that think google has good
anti-spam. They don't. They false positive legit email
as spam.
"Get a static IP"
Shouldn't matter.
"Residential accounts can't run servers."
a) Why the hell not? server != business
b) *OUT*bound port 25 is a client, not a server.
"You might be a spammer."
Whatever happened to innocent until proven guilty?
You guys whine about the TSA thinking you might be a terrorist,
but assuming you are a spammer until proven guilty (or paying
big bucks for some "business" feature) is ok? There is a word
for that: hipocrit.
Yeah the original complaint is about a business, but the problem
is even worse for individuals.
Hasn't your company anything better to do with its resources? Get Gmail for your domain and spend the wasted time you recover making money.
Port 25 management (i.e. blocking outgoing port 25 unless the IP is whitelisted, i.e., supposed to host a outbound MTA) is not normal on business links.
Exactly ... you just relay your mail through the ISP's outbound mail relay ... so long as you're not sending spam (or something that they think is spammy), you're fine.
I personally wish more ISPs would block 25 outbound, as it can significantly cut down on spam and virus propogation.
(disclaimer: I worked for a small ISP about 11 years ago; we'd allow 25 out on request, but this was back in the day before viruses were spreading spam for the most part)
Build it, and they will come^Hplain.
Broadband access ISPs have several different policies about outbound port 25
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
There's a few things you can do for outbound mail. The cheapest/easiest solution would be to use your ISP's e-mail server as a smart host (i.e., DSmail.comcast.net in sendmail.cf). What I would do is get a "virtual private server" or similar (with a static IP), and set that up as your smart host/relay. It doesn't have to be incredibly powerful or anything--a bare bones configuration would be enough these days.
As a side benefit, you could also use the same system as your primary or secondary *inbound* mail server, by configuring it to simply relay mail to your primary mail server as long as it can connect to it. Otherwise, if your cable connection goes down for whatever reason (they aren't T1 lines, after all), your e-mail will be queued up on a system you control. Well worth the $20-30/month a VM from someone like Linode will cost you...
If port 25 is being blocked, perhaps you could configure your internal mail server to use a different port--say 587, which is another commonly used mail server port. Particularly if it is an internal mail server (and you have control over and knowledge of who uses it), then you can have everyone in your organization configure their email client applications to also use port 587.
Rackspace's customer "Traders Business Network" tbnonline.com (website) decided to send me their spam newsletter daily. The first message to their abuse@ email got me a robo-response with a ticket number, but there's no obvious way to look up the tickets to see if they've done anything, and the spam didn't stop. Subsequent emails to their abuse desk with the following few days' complaints got no response, calling their tech support desk got me forwarded to their abuse desk, who still didn't answer after several days, and after more than a week I eventually got annoyed and looked up their corporate general counsel. Email to him did get a response, but the spammers still have a working website.
Rackspace does some things quite well, but my opinion about their service went way down this past month; you shouldn't have to harass corporate officers to get a half-assed response from their abuse desk.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Damn. Wish I had mod points.
Yeah, and then your ISP stops providing a News server, so you end up having to fetch it with Google Groups anyway...
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The only reason you're being blocked is because you're on a residential connection. Get a business line or get into a datacenter. I recommend using amazon's s3 as you can get a virtualized server to yourself. You can also use google to do your email hosting and let them take care of the backups and worrying about up time.
Second is you're not supposed to use your email server to send out email, only receive. How often have you been told to just use your isp's mail server to send out and use your company's mail server to receive? It's like a post office. You don't go to the post office to send out mail, you go to any mail box to send out but you must go to the post office to receive it.
See this for Verizon: http://www22.verizon.com/residentialhelp/highspeed/general+support/top+questions/questionsone/124274.htm
Will outbound port 25 blocking apply to all Verizon broadband customers?
Outbound port 25 blocking will be applied to FIOS and High Speed Internet services that use dynamic IP addresses. If you subscribe to a static IP address service, you will not be affected.
Sounds like you have only to change to static IP service to get around this. If you have static IPs, then call Verizon. Obviously there's something wrong. If you don't have static IPs, well, you're doing it wrong to begin with. Many well run mail systems won't accept a IP known to be dynamic.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
Verizon will unblock port 25 if you ask them. They did for me. I hope that helps!
``Life results from the non-random survival of randomly varying replicators.'' -- Richard Dawkins
You either:
- Do not have a business-class connection.
- Do not have MX records, SMTP banners, or SPF records setup correctly.
- Have something on your LAN configured wrong.
- Are on a black list of some sort.
Visit mxtoolbox.com and check the blacklists and test incoming connections on port 25. I do contract network administration, implementation, un-fucking, etc. I work with lost of different ISPs including Aristotle, Windstream, Cox, AT&T, and Comcast. NEVER have I seen a case of a mail server not functioning correctly unless something preventable is configured wrong (see list above).
Port 25 should be open for incoming SMTP connections. Encryption or alternative ports are irrelevant to receiving incoming mail from the public. I don't know why so many comments are bringing this and related up. Do NOT allow relays from external sources. This keeps you OFF blacklists. This is simple to configure on Exchange. Probably a complete clusterfuck to do on Linux (which might be your problem considering the site you are posting to). Do not allow outgoing connections on port 25 from your LAN except from the edge mail server. This keeps spambots on your LAN from getting you put on blacklists. You should be using some sort of spam filtering solution on your mail server to prevent spam reaching your users. You can even host this with something like MXLogics. All incoming mail goes through their servers first and is relayed to you. Then you don't have to accept incoming connections on port 25 from anyone but MXLogic's IPs. Even better if you want to spend the money. You can even get their outgoing mail filtering and send ALL outgoing mail through them. This will really keep you the fuck off blacklists. No need for port 25 to be open to anywhere except to MXLogic's IPs from the edge mail server.
The only incoming port that should be open on your mail server is port 25. If you want to host incoming SMTP connections to allow for legitimate relays, then put it on some other port and use force encryption and make them authenticate. This is simple to configure on a proper Windows domain, but is probably a complete clusterfuck on Linux. If you want to host POP then put it on some other port and force encryption. If you want to host webmail on the server, then force the use of SSL and open the appropriate port. I leave this on port 443 for ease of use, and just tell the clients to fuck off on POP and SMTP relays. I tell them they can't have them. Of course, we're talking about proper Exchange environments here. I instead set them up with RPC over HTTPS and they get all the benefits of Exchange on the LAN, get to use Outlook, and get a proper encrypted connection to the mail server on port 443.
So my mail servers only have ports 25 and 443 open. Of course, Linux has nothing that compares to Exchange as far as usablility, transparency to the enduser, and ease to configure.
I presented you with some good information and solutions. All cost money. Lots of money. None are FOSS. Well that's the tradeoff in a world where you get what you pay for.
I'll gladly come unfuck your situation for about $150 an hour plus travel expenses. Unfortunately my employer would probably fire me for the terseness of this response (and the unbilled consulting that just happened in the words above). So fuck off.
That's how this looks in a telnet port 25 session from a DSL line:
telnet mx2.hotmail.com 25
220 bay0-mc3-f21.Bay0.hotmail.com Sending unsolicited commercial or bulk e-mail
to Microsoft's computer network is prohibited. Other restrictions are found at h
ttp://privacy.msn.com/Anti-spam/. Violations will result in use of equipment loc
ated in California and other states. Mon, 21 Feb 2011 17:47:40 -0800
EHLO mine.home.net
250-bay0-mc3-f21.Bay0.hotmail.com (3.12.0.56) Hello [xxx.xxx.xxx.xxx]
250-SIZE 36909875
250-PIPELINING
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-AUTH LOGIN
250-AUTH=LOGIN
250 OK
MAIL FROM: i@home.net
550 DY-001 Unfortunately, messages from xxx.xxx.xxx.xxx weren't sent. Please conta
ct your Internet service provider. You can tell them that Hotmail does not relay
dynamically-assigned IP ranges. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors.
Now if you've got a dynamic IP or a static IP in a dynamic IP range or maybe even a static IP from a static IP range from a larger known-to-be-dynamically-assigned IPs...
Forward your outgoing mail in your mailserver to your ISPs SMTP server.
Problem solved.
Really, it's not the most complicated solution ever, but sometimes the best ones are the most simple.
Who did what now?
Most ISP will block outbound port 25 outside of their network. That doesn't mean you don't have a way out of this.
Comcast and Verizon, like most ISP have a number of relay for outbound mail that usually require some sort of authentication. You can use that to send your mail safely. If that doesn't work, or if you don't want to use them, you can sign up for something like postini, and use their relay for outbound mail (they will have info on how to setup that part without a problem). As a bonus, they will also check on your outbound mail and give you report in case of viruses/spam/etc...
I hope this helps...
Every couple of weeks, someone would dig up a cable in the street (causing an outage), or the power would go off for a long time (and our UPS would die, and that would cause an outage), or someone would trip over something (causing an outage).
Grrr. We eventually moved our stack of mac minis (cheap! and low hassle) to a specialist colocation place in Las Vegas that basically is a sub-tennant of the gigantic Switch datacenter.
Here was the surprise bonus - in addition to way better uptime, the quality of the connection we got was SO good it was crazy. Doing a 500Mb system update takes like, a minute to download. And because we didn't need the fancy Symmetric DSL connection back home, we could save money by downgrading to a regular ADSL connection. And, we got a 'naked' / all ports open connection to the net without hassles.
This was a seriously Good Move for us - think about moving your box somewhere offsite. It's cool.
If you happen to be using Macs, we used http://macminicolo.com/ (we're just a customer, but a pretty stoked one).
In 1995 I started an ISP offering dialup and web hosting. We have moved on to High Speed wireless. We have a portable Class C address (204 block). We have for a couple of years been dealing with AOL and other large providers block our email. We don't have the resources to try and contact them every time someone has trouble sending them email. Lately I have taken to telling customer who want to send email to AOL and other large providers to get a gmail account. I explain that no matter how much SPAM comes from Gmail servers they will never get blocked. I explain they are "too big to block". War on small ISP mail servers, yea I would say so.
I learned a long time ago that the address ranges used for end-user oriented services routinely get blocked... If you got a dedicated line, and not a business class cable system, it would help your situation.
-- You can't idiot-proof anything, because they're always coming out with better idiots.
ie: the practice of bouncing the first email from any new IP and then making you wait to retry 30 seconds to 45 minutes later. Problem is, the message never makes it back to the enduser's email client, and I get the phone call.
Greylisting only slows down the 'baby spammers'. And they just end up hammering your email server with their simplistic spam bots.
It took about 3 weeks for the 'pro spammers' to update their 'bots to handle greylisting. And that was about 5 years ago. So come on guys, get rid of this already.
Grey Listing also has a very negative connotation to it. The only ones still using it are the 'Web Design' houses, guys heavy on content development, but short on hard core tech. It makes them look amateurish. These guys never answer their phones either. Greylisting is a sign of weakness.
The big local ISP's tried and discarded Greylisting, FIVE YEARS AGO. It does not work. I tried it, and watched in REAL TIME how the professional spammer adapted.
If you block, you must have a way for someone wrongly blocked to complain.
Yahoo seems to block you for just about any reason. Like your server hosts a inoffensive graphic that got used in a flame war. Nothing at all come from your IP address except a graphic of a computer, but all it takes is someone with their panties in a bunch to complain, and Poof! your entire server is banned for as long as the arrogant, unreachables at yahoo feel like.
Ya, Yahoo, I'm pissed off at you. Can the arrogance already. You did not want to handle this privately, now here it is, out on a forum.
Sounds like your company is extremely cheap & stupid for not just getting a real Internet connection. I don't blame companies for straight-up blocking any mail traffic originating from blocks of cable modem IPs...it's generally a source of illegitimate spam. Tell your boss to put down the money for a T1 to use for email. Route all other traffic through your cable connection. by pak9rabid (1011935) on Monday February 21, @05:45PM (#35272912)
See subject, & don't let his BULLSHIT fool you man (the jackass who wrote this "ask slashdot" article/request)...
Just based on WHAT YOU SAID (& that's "straight-up" enough, & truth on YOUR part)?
It's PRETTY OBVIOUS he's a fucking spammer & he doesn't like being "shut down" (& personally speaking, I'd bet you I am dead on right: Fact is, think about it - MOST of these jackasses out there with a bullshit line like you see in the submission, that run their own mailservers... what do you REALLY think they're up to? Spam!)
why is this modded -1?
its the first and only sensible response in the whole thread!
got a smallish business? google apps for the domain will be free
really, you pay a fraction of the cost of running your own mail / calendar / collaboration services with the additional benefit of them also handling the spam filtering for you.
i too ran my own smtp/imap servers for years, but have switched and will never look back!
RBL's are maintained by humans and they make mistakes. Your server can easily end up on an abuse,"dynamic IP", or "dialup" block list even if you have a static IP on DSL and have never sent a spam. http://www.anti-abuse.org/multi-rbl-check/ is a good start. If there is a match, fire off an email to the administrator and get it fixed.
Large ISP's often have their own private RBL's that can not be checked. Earthlink, at least, will send a bounce. Hotmail may not. It would be worthwhile to contact hotmail about your situation. My server's mail was bounced by Earthlink three times last year but there have been no problems for the last several months.
I also have run a private server on static IP on DSL. Since the last Earthlink bungle was fixed almost a year ago, I have had no problems sending mail anywhere including hotmail.
I have an ATT DSL with 5 static IPs (home, not business). I run an email server, and they do not block port 25.
My advice is to give up. The era of a small organisation running their own email server has passed. I have been running a mail server since 1994, and I am about to give up. Even being careful, there is a percentage of my mail that doesn't make it to the intended recipient. I have reverse DNS setup correctly, am whitelisted by my cloud provider, and ensure that my mail configuration is correct. I have wasted more hours than I care to admit keeping everything running, but I face at least one major email related issue per year, compared to when I started with something every couple of years, and then usually a silly configuration issue. I have better things to do with my time now. Let one of the big boys handle the hassles. You can still have your own domain and even some aliases.
http://en.wikipedia.org/wiki/Mail_Abuse_Prevention_System
see when your trying to get unlisted from something try going to the right place.
if you are dealing with something that McAfee has (that is also called MAPS), sorry.
You can either proxy the email connections or host them directly. Email doesn't take up that many resources. Another $20 with another company gives you a backup MX. As a bonus you can run them as your dns servers as well as maybe a couple other low priority jobs run in jails.
And it goes without saying I suggest that you consult with a couple external security hackers and audit all your servers a couple times a year. You may be a small business but your probably more of a target than the big companies. How much is your companies reputation worth?
As someone who had to deal with the same problem for awhile (before I got a true static IP with my business account), I can tell you that most ISPs will use a relay server for any mail that you wish to send. Generally, you just put a URL, username, and password into your SMTP settings and again you can send mail.
The method has the added bonus that, if your netblock is not marked for static IPs, spamhaus and other mail services won't blacklist your server. Talk to your ISP about what relay settings your mail service should have.
Seriously, this isn't that hard. If there isn't a phone number or email address on the bill for business support, you need to stop paying your bill (ie, find another provider). That or look for a phone number or email address or even fax number in the DNS records. Your mail admins should know all this and have done it already. I'm a part time admin who runs his own email server, and I run into this on a semi-regular basis; it's not even my paying *job* and I'm able to take care of it.
First thing to do is check your own mail servers. Are you sure you are not sending spam? Are you sure no one in your company is sending spam? Are you sure you're not operating an open relay? If you are running mailing lists, make sure they are all opt in and dead simple to unsubscribe, with an automatic system to handle it, and if someone asks to be taken off without bothering to use the form, do it immediately.
The second thing to do is check the logs and DNS records for email addresses, phone numbers or web addresses or even just error messages as to why you are being blocked. Next is to try to remedy it: fill out the web forms, send email, leave voicemails, etc. Some solutions may prove infeasible (my last provider wouldn't change the reverse DNS, and yes, there are some retards who will block on this one fact *alone*), but it's still worth trying.
Nathan's blog
Small businesses aren't the reason administrators are blocking mail from Cable/DSL modem network blocks. Verizon and Comcast consumer-grade networks have a bad reputation for originating SPAM from infected hosts, that shouldn't be a surprise to anyone managing e-mail
If your company has a static allocated network block, and you follow best practices (i.e. accurate SPF/MX/reverse records, working Abuse contact for your allocated network block) you can talk yourself out of a reputation block list. Speaking of which, the last time I checked Verizon didn't even have a working Abuse contact. If you're on what is considered a dynamic consumer-grade modem network block, there is a fat chance getting de-listed.
If its been incorrectly listed as consumer-grade, you have to convince the reputation blacklist maintainers that you are on a business grade network. You will have to prove to them that you follow best practices, and that you have the infrastructure in place, necessary to get yourself de-listed. It may not be easy, but it is not impossible. I have been able to get a business-class A-block de-listed, however it had been incorrectly recorded as a consumer-grade Verizon modem block in a reputation blacklist. Our company had a directly allocated C-block, a working Abuse contact, etc.
Talk to Verizon and Comcast, if you're paying for business grade service, they may offer small business smart hosting. It may cost a little extra. See if there are any small IT consulting firms in your area offering similar services. Are there any Competitive Local Exchange Carriers in your area that could physically host your mail server in a co-location facility at a reasonable price?
Another option is to consider outsourcing to a SaaS model, Google and Microsoft may offer affordable smart-hosting with your existing mail server.
Finally, you have a myriad of cloud Virtualization hosting options, such as Rackspace, Amazon EC2, Slicehost, etc.
/^([Ss]ame [Bb]at (time, |channel.)){2}$/
You could get a virtual linux box at linode.com, it's very cheap and mail servers are some of the common uses for them.
That said, I noticed when I traveled to a home on Verizon that they do indeed block port 25 when trying to send mail via my linode based mail server, and the solution was to go to an alternate port number and configure my mail server to accept it. This turns out to be pretty common with broadband providers like Verizon. I would not trust Verizon to not block 25 even if they say it is a business connection. Incoming is another matter.. If blocked then you need to complain.
As an ISP, I can confirm that we do block port 25. The reasons are obvious. Any traffic on that port is almost certainly malicious.
Some of our customers do run their own mail servers. All it takes is a short phone call to coordinate server addresses, etc. and we let their mail right through. Some of our customers want to connect to third-party email providers. Again, a short phone call resolves their issues.
I'm actually surprised malware sticks so much to port 25. I would expect them to dodge better.
I relay all my oubound mail via a VPS at a reputable host - in my case, Linode, but many others would do. The VPS has a static IP allocated from space the VPS host has registered as used for hosting static customer services. Reverse DNS is configured to match the hostname it reports on EHLO and the hostname listed in the MX records.
That way I'm freed from all those annoying DSL/cable modem filter rules, and I get a secondary MX as part of the deal.
I *love* ISPs that block port 25 outbound... by default. It's a great spam control measure for Judy and Joe's unpatched Windows XP SP1 machine connected directly to the Internet via a USB DSL modem. Most ISPs, however, let you turn it off via a control panel offered for your service - if you know you want to and know enough to do so. Those that don't let you turn it off at all because they're trying to force you to pay them to unblock ports, they piss me off.
Outbound port 25 suddenly stopped working for us at our home office. My wife has a CRM system that she runs in our home office and it frequently sends emails to her clients (appointment reminders, appointment follow-ups, promotions, etc.). I configured that CRM system to use our mail server setup on a VPS in a data center with Server Axis. After I figured out that it was Comcast that suddenly shut down outbound port 25 from our home, all I did was change the incoming SMTP port on our mail server to be 2500 and everything has been fine ever since (something which may not always be a practical option if you have lots of different groups expecting it to be available on port 25).
But yes, make sure you follow best practices for managing a *legitimate* high-traffic mail server:
* Use a static IP
* Have proper abuse@ & postmaster@ addresses
* Setup an SPF record for your domain
* Follow the FTC's CAN-SPAM act (http://business.ftc.gov/documents/bus61-can-spam-act-compliance-guide-business)
Faith is a willingness to accept something w/o complete proof and to act on it. Reason allows you to correct that faith.
I host my own mail server at home, and I use my Web Hosting provider's SMTP as an outbound relay for mail. To connect to my server from the outside to send mail, I use the ssl port to connect, which my ISP does not block.
For incoming messages, I set up a catch-all address on my Web Host's email server, and fetch-mail it over IMAP. Then, I let fetchmail deliver it to my mail server, and process the mail delivery to local addresses in LDAP on my server, but it depends what your host provider does to the headers when the mail goes to the catch-all. If this is a problem, you may need to set up separate accounts on your host provider's server, or if they will let you, set the outbound to your domain to relay to your sever over a non-standard port (which, if they will let you do the relay, they can usually encrypt the connection too).
Some organizations publish their delivery guidelines. For example, UCLA's delivery guidelines are available here: http://info.smtp.ucla.edu/guidelines.php The most common reason UCLA's servers reject mail is due to improper rDNS records.
This sig is provided "as is" without warranty of any kind.
$215 a Year will buy you a very decent Virtual Server there (a very geek-friendly Un*x place).
My business has a Comcast Business account, and we host our own email and for several clients. Comcast is not blocking port 25 for us and we are having no problems being blocked anywhere. Do you have a reverse DNS record that resolves to the address of your email server?
Considering the simultaneous growth of the stock market, increasing concentration of wealth and increasing poverty and unemployment, particularly the long-term unemployed since Day One of the Bush, Jr. administration, I'd be shocked if a front or two hadn't opened against small IT outfits, in this ongoing class war initiated by the over-privileged directors of global corporations.
"I can't imagine how things could get any worse!" (some guy) "That could just be failure of imaginatioÂn on your p
What is a small company supposed to do if you want to host your own mail?
Get a VPS somewhere and use that as a mailserver. Heck, I have one privately, how small a company are you that you don't?
It makes sense from many perspectives. You are still online when the power or connectivity in your office goes down, it can serve as an off-site backup, it will have a static IP address, getting you past many RBLS, etc. filters.
Assorted stuff I do sometimes: Lemuria.org
I disagree with you on a couple of items here:
BTW, news flash for those of you that think google has good
anti-spam. They don't. They false positive legit email
as spam.
I'm only speaking from my personal experience. I find Google's spam filtering to be absolutely top-notch. I only very occasionally get false positives in the spam folder, which is an acceptable rate for me. For a while I had my oldest domain name (which I've had for 12 years) hosted there. It was getting somewhere on the order of 2,000 spam messages per day. Very rarely would I see a non-spam message in the spam box.
I've done the personal mail server dance a few times before. It's really a lot of work to make sure that your mail gets delivered everywhere and to make sure that spam is effectively filtered. I still haven't found better spam filtering than Google - although, admittedly, I haven't ever used any of the expensive or dedicated-hardware solutions like Barracuda.
Web mail SUCKS.
I think that's subjective. I really don't like any of the run-it-yourself webmail solutions (Squirrel Mail and RoundCube come to mind). I don't like Yahoo (at least as of the last time I saw it), never used Hotmail... but I've got to tell you, I've been using Gmail (and now Google Apps) since 2005, and although I occasionally download and fire up Thunderbird when a new version comes out... I still prefer the web interface. In fact, my only complaint is that there's no good way to do GPG in Gmail (that I know of). But the net benefit is still positive for me.
Why, no, I haven't meta-moderated lately. Thanks for asking!
We have Kerio Connect running on a VPS (virtual private server). It's very low-cost and works great, and environments where VPS exist typically don't filter mail-related ports.
I'm not sure why this should be such an issue. Just set your internal mail server up to use a smart host (I think Microsoft's SMTP server calls this a relay host, or something similar) which uses the ISP supplied mail server. Unless you are sending massive amounts of E-Mail that triggers their spambot filter, you shouldn't have a problem.
Now, if they are blocking incoming connections on port 25, you have an issue. You will either need to get an external relay setup (like the VPS solution that was mentioned before) that can be configured to hit an alternate port (587 and 325 are popular for this) on your server or use a third party incoming mail host and then setup something like fetchmail to poll the external server and deliver it to your local mailboxes.
IANAL!
Since you are limited from exercising free speech via SMTP medium, you have essentially been denied 1st amendment rights. Go sue them into oblivion.
This is one of the things why even network neutrality matters. It assures others are not limited from freely speaking to you, should you choose to listen to them instead of your ISP choosing who and how can you listen to.
If your ISP is blocking outgoing connections to port 25 of other IP's than their own SMTP server, then the solution is to configure your own mail server to relay the emails via the ISP's SMTP server.
If they have blocked incoming SMTP, then you have a real problem
It is, however, not a war against legitimate MX but against trojan-infected dial-up machines spamming legitimate MXs. If you're in a 'dial-up' (or 'dynamic') netblock you most probably do not have a valid MX record. At least not one that will be resolved reversely. So you can not provide a reasonable HELO/ELHO string (see RFC 821) and any MX insisting on a correct HELO dialogue will reject SMTP access. Unfortunately not all do. Mostly due to bugs in W2k mailservers (some of them are still alive and still unpatched and never ones are less buggy, but still run by morons. This is one of the main reasons why spam has become what it is today and why some ISP have been blocking in/outgoing SMTP traffic on their nets. IIRC AOL started doing so almost ten years ago others followed blocking port 25 at least between their dynamic address pools and from foreign dialup ranges.
Oh, the beautiful gloss of greality!
Did you ask your ISP why they blocked port 25? What does your service agreement say about hosting your own servers?
It's time for engagement with your provider, rather than trying to find a hack to bypass their security. Look up what port your ISP is using for POP access. Assuming it's port 25, ask them why they didn't block port 25 on themselves.
Only the dead have seen the end of War. - Plato
I actually had this happen to me last week. We have a small business account w/ Verizon. 32 static IPs. rDNS set up for our mail. They randomly blocked our outgoing mail.
Apparently, this is a 'known issue', but still took me 3 days to resolve. Juniper apparently has problems with their switches. I had to be rerouted through a new switch.
This post is some half day old and nobody here's actually posted about smart host in Sendmail? Guys, you are losing your edge!
It's made for exactly this situation and is jaw-droppingly simple, little more than edit a config file and restart sendmail and away you go. Other mail server softwares should offer similar functionality.
This solves OP's problem completely, is invisible, and makes the mail delivery problem the ISP's problem. (which, presumably, they've worked out since you're paying them to)
How can you claim to be a population of techies and not know this?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
No need to pay for VPS, but he certainly needs to pay for Verizon business class service instead of the residential he obviously has. It is a company after all, they should have a business account - going cheap has its downsides.
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
The solution to your problem is simple, either a) use a static IP configured with reverse DNS, as many people have indicated, or; b) use your ISP's SMTP as a smart host to forward all outgoing email to. Simple, really.
(postfix) relayhost = smtp.yourisp.com
Is this really that hard?
I know of a dutch ISP which has a setup where you point your MX to their mailserver which will relay all incoming mail to your server. That setup makes sure an open relay in their network is harmless while still allowing their users to run their own mailservers.
Which is dandy as long as you don't want to use DNSBL to block spam.
I run a small mailserver, and have the problems described -- but if I gave up my DNSBL filters, my incoming spam traffic would totally saturate my bandwidth (tried it).
Lacking <sarcasm> tags,
Problem domains like hotmail.com and yahoo.com should be routed through your ISP's mail server. Also consider using DKIM to _try_ to make Yahoo accept your mail.
use google's Postini service. IT will act as a virus/spam filter for you as well as a 'proxy' for your SMTP traffic. All your MX records will have their IPs and you can even send all your outgoing traffic to them as well for scanning before sending.
If you are on a business class service, they should not be blocking smtp traffic. I work at a place that uses business TWC and we send and receive a LARGE volume of email everyday. You need to call their business support and talk to them, it's not the same number as residential.
Why? Just as folks looking to build a botnet look to Comcast for fresh meat, those of us protecting mail servers from spam look to Comcast as the first place to block. There's just too much crud that comes in from that space.
To be fair, many of us block a *lot* of other IP space in our quest to control spam. I block entire countries - why accept mail from a country you are 99.999% unlikely to be sent legit mail from?
Your best bet might be to convince Verizon to allow port 25 out. You may have to pay for that privilege - welcome to the work of real mail servers.
After spending many hours and days trying to diagnose mail delivery problems, I just threw my hands up and put my mailserver behind postini. Since Postini has been delivering our mail, we've had no delivery problems.
I have better things to do than spend all of my time convincing a blacklist provider that I'm not a spammer.
-ted
Yeah it's not uncommon for an ISP to block port 25. It's also not hard to configure your mail server to use a different port. In fact
"What is a small company supposed to do if you want to host your own mail?"
They block port 25 because of the spam problem, use another port ...
I've run a vanity domain for probably 14-15 years now. And I've always run my own email server for it.
Outbound mail is routed through my ISP email server, secured with a TLS/SASL connection and a login to my provider's email service, just as if I was sending the mail through an email client, but instead, I've configured postfix to direct outgoing email through this pipe to my ISP. All it requires is my login and password to authenticate that I'm allowed to relay mail through my ISP's server. It happily relays email originated from my domain with this configuration, using normal unencrypted SMTP does not.
And yeah, I do it through dynamic IP assignment. My MX record has no problem with directing mail for my domain to another domain name (the dynamic IP service I use.) I've never had a single problem with receiving incoming SMTP connections on port 25, where my postfix server lives.
I use AT&T (formerly SBC.)
Sorry for anonymous, forgot my login details.
Actually, that's not true. Softegg can get to his ISP's mail servers on port 25. All he has to do is configure his mail server to relay all outgoing mail to his ISP's mail servers. Simple, end of story. Trust me, if the ISP's mail servers show up on a blacklist, it will be taken care of immediately.
If I used a sig over again, would anyone notice?
yes.
I've been routing my outbound through dyndns's mailhop service to deal with comcast's blocks. Inbound still seems to be ok, and I hope it remains that way, as I prefer to do my own filtering and blacklisting.
Another option outside of getting a VPS is to get a Postini account and use them as a smarthost. Postini (or Google if you will) has a good reputation out there and you'll find much less mail blocked as a result. They also provide good inbound spam blocking services which you'll need eventually if you don't know.
Others have suggested a VPS; that's just another way to get a static IP (under no circumstances consider shared hosting, you never know who your 'neighbors' may be spamming...) But, since you run the server out of your own shop, besides switching to a static ip for your own connection, get with StartCom or one of the other low-cost cert folks & switch to SSL for your email traffic as well. Any of the free DNS services (dyndns, whatever) can be used to create an A record for your IP.
>> BTW, news flash for those of you that think google has good anti-spam.
>> They don't. They false positive legit email as spam.
>
> I'm only speaking from my personal experience. I find Google's spam
> filtering to be absolutely top-notch. I only very occasionally get
> false positives in the spam folder,
Putting legit mail in a spam folder is one thing. Not delivering
legit mail at all is quite another, and gmail started doing that
at some point (date forgotten). If the only contact info for
someone you have is an email addr, (and that is common) you're stuck.
Oh, and you can't open a gmail account unless you have a cell phone
that can receive text messages. WTF?
> I've done the personal mail server dance a few times before. It's
> really a lot of work to make sure that your mail gets delivered
> everywhere and to make sure that spam is effectively filtered.
It used to work fine before so many people started the assume-you-
are-a-spammer-until-proved-innocent thing.
I hate spam as much as the next guy, but not being able to
contact people is orders of magnitude worse.
>> Web mail SUCKS.
> I think that's subjective.
OK, it is subjective. Web mail is SLOW SLOW SLOW.
Editing is a nightmare. Editing in an emacs text window
and then copy-and-paste into browser window helps, but is
still problematic. Having some company reading your mail
is evil. And you have to copy any info you want to save
back to your own computer bacause who knows when the
webmail will fail.
Webmail is a nice option to have and if you like it great.
But being forced to use it when you hate it sucks.
Gmail is the best for small companies, they even offer to change the extension for you for your company, that way you do not get a gmail extension, they do all the virus verifications, and spamming filtering, so what you are left with, is really what you need....a 99.9% up server that already has full AV and SPAM app, plus also has cool integrated features that are as powerful as Outlook, but from a web interface...so saves you licensing MS Outlook too!
"What is a small company supposed to do if you want to host your own mail?"
Rent a virtual server in a real datacenter and run whatever you want. I think I pay $30/month for mine.
Postini is cheap, and your MTA can be configured to send and receive mail through it. Plus you'll get fantastic SPAM filtering. Problem solved.
640YB ought to be enough for anybody.
I don't think it's entirely intentional, but it is a real phenom.
Same answer as others, but we had this same issue with a private instance of Exchange server. We were constantly being blocked when sending email to recipients in SBC and Comcast, even others occasionally, but those were the worst.
For a while we ran a second virtual email server as an 'edge' server for both incoming and outgoing email on RackSpace. This changed the IP to one of RackSpace's and solved the blocked email problems. It also worked great as a front line against spam. All of the load of spam filtering hit the virtual server, and spared the server in the office.
In the end though, we gave up. We now use hosted RackSpace Exchange. This has proven to be much cheaper overall, and without all the other small email system headaches.