From owner-freebsd-questions@FreeBSD.ORG Mon Oct 27 18:40:08 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97109106566C for ; Mon, 27 Oct 2008 18:40:08 +0000 (UTC) (envelope-from gesbbb@yahoo.com) Received: from smtp108.prem.mail.ac4.yahoo.com (smtp108.prem.mail.ac4.yahoo.com [76.13.13.47]) by mx1.freebsd.org (Postfix) with SMTP id 435328FC0C for ; Mon, 27 Oct 2008 18:40:08 +0000 (UTC) (envelope-from gesbbb@yahoo.com) Received: (qmail 23052 invoked from network); 27 Oct 2008 18:40:07 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-YMail-OSG:X-Yahoo-Newman-Property:Date:From:To:Subject:Message-ID:In-Reply-To:References:Reply-To:Organization:X-Mailer:Face:X-Face:Mime-Version:Content-Type; b=JEMveW25VscRTmlRhe0n899vJ75n2GqBD8cARVyhUMqwmdfyrZtiVbBigx95bXJY/qq4md5GX3qiR4h4HhM2zj5FVLdLkmfPkEE2AT1VFTwRdD1jJJ+1lq8rrKn4SL6+lVa9odV6x4WJcrva2mNAv4nh/4mLugJWUptBxBdDd9U= ; Received: from unknown (HELO scorpio) (gesbbb@67.189.233.182 with login) by smtp108.prem.mail.ac4.yahoo.com with SMTP; 27 Oct 2008 18:40:07 -0000 X-YMail-OSG: F3a_2tAVM1ms31Bky_UBhmLopXc.8wDAxSDRsYDAASimrkmnPhMzVFMfvxObWUlr1HZcSa5Z0QDPM76IaAeqXY04piVbsaV8x0kzswQ0XV8BFBiEpEbLJEWidpvATStOizckpaEB9zn6WAtZ5EsJs9o75BWfymg2dYAGEyYGe0EVwAvRO7at9i_J5w-- X-Yahoo-Newman-Property: ymail-3 Date: Mon, 27 Oct 2008 14:39:56 -0400 From: Jerry To: freebsd-questions@freebsd.org Message-ID: <20081027143956.6434cddf@scorpio> In-Reply-To: <20081027002359.GA7165@icarus.home.lan> References: <20081026235553.GA45810@ezekiel.daleco.biz> <20081027002359.GA7165@icarus.home.lan> Organization: seibercom.net X-Mailer: Claws Mail 3.5.0 (GTK+ 2.12.11; i386-portbld-freebsd6.3) Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAGFBMVEX+/v7++v6YOTrq8PCcuIX989UvOSj++v0BNCbpAAAAB3RJTUUHsQwfFzs7RBhzUQAAAhJJREFUOI1dU8GOqzAMNKIoV1bvwD1i0ysqrHplIdBrVSX7ATSbd03VVvn9tQNtQy0hjAdn7LED4AAcPtWm9RV+MPSfxhBLx9ajd6X/ngB6/mTwnRSZua7i7Ca+0ctZKo4Qmz+JY13X6I3nFZBxIYW1PbgfQ5RP8g0XlltEWGf3cV03joYpRnFbvYDKbXjZlXyyhEZA4lI+cN3NaVXE4VKjSwTExO10eTEkkJVqIAD5z0nUBQJluQDRSQjcrBiHAJxZlAH5CUMBMC7OcJ4LMQNnxhZ1HYPscMc6J4UlWRMNwzOpCcAHKSICd1EDn83abdREIbXsHkD1OinP1aCUCOEVRaa1lMcvywUWdYgk13JQUpYNKmvXQ8Kw5ML9YI5h8SakctBc7E/IYuLhYd/zZIk+1gM1vNweQBvHE0j+oYah3sMqAytQYlZk6+ANaaawJdu3OFzYGMZ3iGpa3qMlq9ZH0VZTgrCtw/ngdYkEIIpSbP1bWQAdFdX9vocBdkH2qVjVmuMu3gI5rjs814EUdrCZgWlPaxZZ3RiLFUtr+ud0PXwp2dnQSNXgePt6AZpBj6UMJ7VQkzN4utVeaSW1Dhn/kblGrKeMvNGnzwX4zuEDarYz1KdPtR60Gul0Gued+515SJXhCsl+Tx/3kY/UDvicPll9mfu50t3tvQ/thZpJYgeuwdSKNJ6tCD98MCgoxLDaPxbwqqwPWaWiAAAAAElFTkSuQmCC X-Face: "\j?x](l|]4p?-1Bf@!wN<&p=$.}^k-HgL}cJKbQZ3r#Ar]\%U(#6}'?<3s7%(%(gxJxxcR nSNPNr*/^~StawWU9KDJ-CT0k$f#@t2^K&BS_f|?ZV/.7Q Mime-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/4iTWHPFfQ0=Y0dM1L1IiulS"; protocol="application/pgp-signature"; micalg=PGP-SHA1 Subject: Re: MTA on non-standard port X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2008 18:40:08 -0000 --Sig_/4iTWHPFfQ0=Y0dM1L1IiulS Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Sun, 26 Oct 2008 17:23:59 -0700 Jeremy Chadwick wrote: >On Sun, Oct 26, 2008 at 06:55:53PM -0500, Kevin Kinsey wrote: >> Hello, >>=20 >> Quick thanks to Andrew Clark, Jeremy Chadwick, Tim Kellers, >> Jeff Goldberg, and anyone whose reply I've not seen re: >> this issue. >>=20 >> Isn't hard, as several pointed out. Now I've sendmail listening >> on any port I want to. Problem is, still can't touch it from >> here (and you might have guessed, the base issue is a new provider >> of a lower-class service who I'm guessing only allows certain >> ports by default). > >Most consumer ISPs in the United States block two kinds of traffic to >their customers' IP blocks: > >1) Incoming SMTP (e.g. someIP:* --> yourIP:25) >2) Outbound SMTP (e.g. yourIP:* --> someIP:25) > >#2 has become prominent in the past few years, and is applied by ISPs >because they want to curb their customers sending spam out onto the >Internet (usually as a result of viruses, trojans, etc.), getting their >IPs blocked by DNSBLs and giving them a bad social rep. Instead, they >force customers to relay outbound mail through their own SMTP servers >(called a "smart host" in sendmail terms). > >There's absolutely no way around this; you can beg them all you want, >but the chances of them adding a pass-through for you is very slim. >Story time again... > >My setup, just to give you some idea: my home LAN has a FreeBSD box >used for all kinds of purposes. The box itself does not have direct >Internet access (it sits behind a Linksys WRTSL54GS NAT router, which >DOES NOT have incoming port 25/587 forwarded). The BSD box listens on >localhost:25,587, and bsdIP:25,587. This allows other machines on the >LAN to send mail through the BSD box, and of course local utilities on >the BSD box to do the same. > >The Linksys router has two outbound firewall rules applied to it: it >only allows bsdIP on my LAN to connect to someIP:25,587 -- thus, only >one machine on my LAN is allowed to speak SMTP to the world. I do this >purely as a precautionary measure (in case one of my friends comes over >with his/her laptop, which happens to be infected and sends spam, etc. >-- it won't work, period). > >All this worked great until Comcast put in place outbound SMTP filters, >which stopped postfix from being able to connect to someIP:25 (where >someIP is some random MX/mail server on the Internet). I was forced to >set up "smart relaying", causing postfix to siphon all outbound mail >through comcastmailserver:25, which worked fine for a few years. > >A couple months ago, Comcast stirred up the ants. They blocked my >ability to send mail to anyIP:25 (including to their own SMTP >servers!), citing "an incident of spam from my IP address". > >I asked them provide timestamps, Reference IDs, or even queue IDs, and >also explained my LAN setup and how what they were claiming happened >simply could not happen without my knowledge of it. They refused, as >in in literally "We will not provide you any of that". Abuse and I got >into a very long discussion on the phone about this, and told me a lot >of conflicting things (more or less just inducing me to ask more >questions, because their story didn't make any sense). They did >eventually tell me what *day* the spam was sent, which allowed me to go >look through my logs -- over and over, and I found absolutely no sign >of any illegitimate mail in my mail logs. > >I was told they would lift the block (which was done at the cable modem >level, not at the router level) if I could "permanently guarantee no >more incidents of spam". I told them that was impossible to guarantee, >because there *was no incident of spam* from my IP in the first place, >and they were refusing to work with me to figure out how/why they were >claiming that. So we sat there on the phone, silent, basically saying >nothing -- a total standstill. > >Eventually they stated that I could send mail through their mail >servers on port 587. I quickly set this up, and found it failed -- >their servers require SMTP AUTH on port 587, no exceptions (note: this >is NOT mandatory by the RFC; it's OPTIONAL). This meant I had to go >through the pains of dealing with Cyrus SASL2 (thankfully postfix >makes this easier to deal with than sendmail), and upon configuring it >all, mail once again began to flow. That's how things remain now. > >The reason I do not like siphoning mail through Comcast: their mail >servers are known to act wonky or /dev/null mail for mysterious >reasons. I've had two separate incidents of me sending mail to >individuals, witnessing Comcast's servers say "OK/accepted", but the >mail never reached the destination. In one case, one recipient ran >his own mail server, and was able to confirm that he saw absolutely no >Comcast IP connect to his server during a 24 hour period. To this day >the mail has never arrived. > >All the anti-spam advocates praise ISPs stepping in and becoming the >"middle man" for spam siphoning/filtering, spanking users like this >when incidents occur -- but when their setup fails or does what I've >described above, they basically turn their cheek and ignore any sort >of mistake or mishap. The fact that I cannot convince my ISP that I >am a responsible Netizen is disheartening -- I should not need a >business class connection to justify my responsibility. > >I hope the experience with your ISP is better than mine. Good luck. I had a similar experience with Comcast. After speaking with their representatives and getting nowhere, I got the representatives to give me their ID #'s, something they have to do by law anyway, and then filed a protest with the 'Public Service Commission' in New York State. Within five days I had both the Comcast and PS Commission reps talking to me. Long story, Comcast backed down. The PS commission said that Comcast could issue a system wide regulation if they wanted, and in fact they are in the process of doing that right now; however, they could not just single me out without supplying me with the requested information. Further more, they are now requiring SMTP AUTH on 587. While that may not be RFC required, I really see no reason to complain about it. Actually, it is probably a good idea if it helps contain the spread of SPAM. However, at least in my case, both inbound and outbound port 25 traffic is open. --=20 Jerry gesbbb@yahoo.com It's kind of fun to do the impossible. -- Walt Disney --Sig_/4iTWHPFfQ0=Y0dM1L1IiulS Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkGCwQACgkQBvaKIJWWCO1yrgCeKT84oZfAe0EmEMSNayjFXghM Q78An3s3PJ9MdEmfi/fADbcxpdmVNS/x =UoDw -----END PGP SIGNATURE----- --Sig_/4iTWHPFfQ0=Y0dM1L1IiulS--