Re: SMTP port
ggraves1
Enthusiast - Level 2

Well lasagna, how do you handle this one?

I have a well-secured server which only allows access through well-defined standard ports. If I send emails to my peers through that server, it doesn't travel through other server, it goes through our secured server, and immediately.

Since I send about 5 emails a month, I called VZ this morning to find what it would cost to get a fixed IP address. 

That raises my IP connection from $35 / month to $105 per month because there is no fixed IP option for residential service.

I don't run my mail server in my household, I only want to keep outbound from my household and inbound through that.

I work for a tiny and impoverished NGO. 

They had a problem with mail relay, etc before I came and locked down all the open ports on the SMTP server. I have just a few people all over the world who use it. And until June 1, they all used the sole mail port, 25.

Do you really believe that the bots won't figure out that any VZ client will just 587 instead of 25? 

Port 25 blocking is a temporary stopgap at best, and totally useless at worst.

Re: SMTP port
ggraves1
Enthusiast - Level 2

WinpakBob,

I'm having the same problem with my Outlook 2007 talking to my Exchange 2003 server.

Port 25 works, Port 587, uh-uh. 

Port 25 keeps our traffic off other relays and because it is well-filtered, keeps the baddies out of our hair.

I spent two and 1/2 hours on the phone this morning and the only solution was to get a Business-Class account at an additional $65 per month (plus tax and fees) for the five or so emails I send from my home to my office.

Suddenly the end of my contract looks pretty good, but far away.

0 Likes
Re: SMTP port
lasagna
Community Leader
Community Leader

Everyone keeps missing the point on the SMTP virus thing.   This is not about legitimate clients sending messages -- but about BOTs infecting clients and generating SPAM which they in turn transmit at high rates directly to any and all SMTP servers they can find.   What Verizon and others have done is separate the MSA function from the MTA function.   The MSA (client submission agent) is what your client uses to hand messages it wants delivered to a mail server which will process it and then, on your behalf, contact the MTA at the destination to arrange delivery (the destination may, in fact, utilize one of several services to form a reputation score about the sending server to determine the likelihood of the message being SPAM as well).   The MTA is the portion of the server which handles the message transport (inbound mail for instance) from those other MTA's (not clients) who need to give it mail for it's authorized recipients. 

Now before anyone goes whining about the change -- that's your right , but save your breath -- it's not going to help fix your problem.  Verizon's not going to change that policy -- as it is consistent with many other (most, in fact at this point) major ISP's.  This really is a huge issue from a SPAM perspective -- and this one countermeasure results in substantial removal of traffic from the network -- not just the Internet -- but from the Verizon backbone -- a move which personally I support -- makes getting my streaming movies all that much faster without all that SPAM crap clogging the pipes.

There are solutions -- but they take working with the provider of your mail services to fix.  Not complaining about port 25 to Verizon.  In cases where you are the service provider,  it's easy enough to fix.  In the case of a third party, I've researched several providers now for people who posted politely about it and found many of them already had the alternate SMTP available, you just need to ask them what it is.

Now for the question at hand ...

Many servers, Exchange included, have the ability for the MSA and MTA to function simultaneously on the same port (namely on port 25).  However, many years ago, this functionality was designed to be separated and an alternate MSA port created (typically port 587).   This was done to allow for the easy separation of the act of direct receipt (mail given to a server from elsewhere that is specifically destined for a user "on or behind" that server) from relay (mail given to the server for relay to another server as the user was not on that server).   This latter function is what you leverage when your client submits messages (with the one corner case you outlined of when a user is on the same server but really it still flows thru the MSA to MTA process).   Continuing ... port 587 was then intended to be a "secured" port for relay meaning some method of authenticating yourself to the server (using SMTP AUTH or in some cases POP login to the server which is actually a bit weaker) was needed before messages were accepted for relay (these are the options you see in Outlook on the second tab relating to the outbound server authentication requirements).

Obviously, for a traveling a static IP is not the solution.  This is exactly why the alternate port scenario exists.   

Security concerns aside since sending identity to the mail server (for POP/IMAP or SMTP AUTH) across the Internet is an extremely bad thing -- talk about the ease of hijacking access to someone's mailbox (you really should be using SSL secured POP/IMAP and TLS/SSL secured SMTP AUTH for interacting with your server) ... since you say that you're the one managing your Exchange and network environment, this is what you should be doing:

http://support.microsoft.com/kb/823019

This describes enabling the secure POP / SMTP protocols between the client and the server.  But it is quite a bit involved and isn't necessary to "fix" your port 25 issue.    You should however read it as it provides a lot of good technical background on the shortcomings of basic POP/IMAP authentication (which incidently, Verizon's mail servers are no better at either).

For information on the alternate port setup, I believe you want to go here:

http://technet.microsoft.com/en-us/library/aa997328(EXCHG.80).aspx 

and

http://support.microsoft.com/?kbid=266686

These talk about setting additional listener ports (in the first instance, on the same SMTP virtual server and in the second by configuring a second virtual server).  You can also setup your Exchange server to do secured POP/IMAP/SMTP but that will require certificate and some additional work.  

Optionally, if you're controlling the firewall, simply setup a port forward for inbound tcp/587 to tcp/25 (in the case of a small SOHO router or similar) or a static port NAT doing the same thing (in the case of an enterprise grade firewall like Cisco, Checkpoint, etc.).

These a complicated and involved -- but if you're running a mail server -- you should already know that.    If you're not the admin, then these aren't for you.   You need to speak with the mail server provider and explain the scenario -- tell them to google port 25 blocking if they don't believe how big an issue this is.

No need to get a static IP for the clients.  They will however need to do a one time reconfiguration to move all their outbound mail over to the new port once you have it configured.

Oh ... and since you mentioned that your an NGO ... are you a non-profit?  There's a way to get a robust mail infrastructure for free without needing to manage an Exchange environment.   I use it for quite a few non-profits that I provide support for and they are extremely happy.  PM me and I'll give you details.

Oh ... and one more thing I stumbled on for the rest of the masses who are still stuck ... maybe try one of these services:

http://www.no-ip.com/services/managed_mail/outbound_port_25_unblock.html

http://www.dnsexit.com/Direct.sv?cmd=mailRelay

and numerous others (search for "alternate smtp relay").   Yes ... they cost money, but they're relatively inexpensive (for example, the first one above starts at $19.95/yr for up to 150 outbound messages/recipients per day).  

-lasagna    (cat "all whining" > /dev/null  2>&1)

Re: SMTP port
dslr595148
Community Leader
Community Leader

Since you answered  ggraves's question. I have a question for you - if you do not mind.

# 1 Once malware is in your computer it could bypass the software firewall that is installed on your computer, as noted on http://www.grc.com/sn/sn-105.htm and other shows of Security Now! with Steve Gibson and Leo Laporte. 

#2 Does Verizon honest think, that malware can/could not look at the mail client's settings and figure out - ah ha, they are using blah mail server at port number, user name and password?

Please and thanks.

0 Likes
Re: SMTP port
lasagna
Community Leader
Community Leader

For #1, that's why protection "in the cloud" is better than these silly "software firewalls" they place on systems.  The software firewall is good for protecting from the drive-by script kiddie, but really does little beyond that.    In fact, there were devices being marketed at one point which seperated these two activities (Watchguard, Yoggie, etc.) which was actually a great idea ... unfortunately, too complicated for many people to understand.

You are right about #2 as well ... it is, at best, a temporary solution.   But when combined with outbound SPAM filtering (there are several other threads here about that topic as well since it appears that Verizon's initiate foray into that space is a bit overly ambitious), it actually helps a lot.   Since the bigger part of the problem is SPAM being created by BOTS that then attempt to directly deliver them to mail servers -- by forcing all of that traffic thru an ISP's server, the idea is that those ISP's will employ the service provider strength anti-spam tools to ferret out the SPAM.   So, it's less about the "authentication" part and more about the "alternate port" piece -- so that only server to server traffic every travels the "public internet" on port 25.    By doing this, the effectiveness of reputation based engines (such as SenderBase, etc.) become a lot more effective in looking at incoming mail and in reducing the number of false positives.    It also moves the industry closer to a point where we can get rid of this "anonymous" mail protocol and move to server-to-server authenticated protocols (such technology exists today, but not everyone supports it -- thus it's a case of "keeping honest people honest").   If the sending servers had to prove their identity/legitimacy before a receiving server would accept mail from it (and combine that with digital signature for users), the SPAM problem would diminish.     By employing identity ... companies involved in creating a message which ultimately is determined to be SPAM, would simply be blacklisted by these reputation services ... mail which was digitally signed by people you knew, trusted, or were expecting messages from would be easy to identify and seperate from junk mail without signatures -- junk mail would be useless forcing senders to have to positively identify themselves to be able to create a signed message -- at which point you know exactly "who" created the message -- and at which point laws which go after such lowlifes could be enforced and effectively run them out of business.   Sure that doesn't touch the offshore sources -- but if you know "where" messages originate, you would also have an effective tool -- how many people out there would like a knob that would say "if this message originated in China or some other country known for it's malware, drop it"?  I'd check that box in an instant (you could still talk to people you knew, but everything else would fall on the floor).

The silence would be deafening.

Now ... if you really and to listen to something scary ... listen to this recent Technet presentation.   It might be  a little "in the weeds" for some folks, but the ease with which the tasks can be accomplished should scare some people.    It basically takes Microsoft's NTLM based security model apart (and makes the case for why Kerberos is important) ... but for me, it reminded me a little too much of the underlying theme of the movie "Sneakers":

http://www.msteched.com/2010/NorthAmerica/SIA338

Re: SMTP port
dslr595148
Community Leader
Community Leader

Thanks interesting.

Now, if all mail server owners would just open an "alternate port" with "authentication" for their end users.

For example, how can Netzero require authentication for e-mail for users who user Netzero as their e-mail ISP - and not be aware that..

Geez, ISPs are now blocking port 25 - and not open an alternate port? How dare they. Smiley Mad

PS. Netzero is not one my e-mail ISPs.

0 Likes
Re: SMTP port
lasagna
Community Leader
Community Leader

Actually they are ... port 587 is open on authsmtp.netzero.com for outgoing mail deliver by clients of that ISP's mail server.

0 Likes
Re: SMTP port
Howard3
Enthusiast - Level 1

Why don't we just do everything on port 80. Firewall's block everything else. (Incredibly sarcastic and **bleep** off at you sheeple).

0 Likes
Re: SMTP port
viafax999
Community Leader
Community Leader

@ggraves wrote:

They had a problem with mail relay, etc before I came and locked down all the open ports on the SMTP server. I have just a few people all over the world who use it. And until June 1, they all used the sole mail port, 25.

Do you really believe that the bots won't figure out that any VZ client will just 587 instead of 25? 

Port 25 blocking is a temporary stopgap at best, and totally useless at worst.


They had a problem with mail relay, etc before I came and locked down all the open ports on the SMTP server. I have just a few people all over the world who use it. And until June 1, they all used the sole mail port, 25.

Seems to me the answer to your problem is to change your server to use semething other than port 25.

Do you really believe that the bots won't figure out that any VZ client will just 587 instead of 25? 

In the case of the Verizon outgoing server you have to authenticate outgoing mail with your VZ userid and password - that should cut down on bot activity dramatically unless you VZ email account has been hacked.

Port 25 blocking is a temporary stopgap at best, and totally useless at worst.

That may be, however I think just the opinion of a server admistrator who doesn't understand the issue and hasn't really solved it on his own server - see point 1.

Howevr if there is a better solution this as a stop gap measure is at least a step in the right direction.

Re: SMTP port
viafax999
Community Leader
Community Leader

@ggraves wrote:

WinpakBob,

I'm having the same problem with my Outlook 2007 talking to my Exchange 2003 server.

Port 25 works, Port 587, uh-uh. 

Port 25 keeps our traffic off other relays and because it is well-filtered, keeps the baddies out of our hair.

I spent two and 1/2 hours on the phone this morning and the only solution was to get a Business-Class account at an additional $65 per month (plus tax and fees) for the five or so emails I send from my home to my office.

Suddenly the end of my contract looks pretty good, but far away.


I must be misunderstanding what you are saying.

What you are meant to be doing is using outgoing.verizon.net as your outbound SMTP server.  Port 25 will work OK with that when you are connected to your local network, otherwise port 587 will work if you are connected to a non VZ network.  I have to believe that what you are saying is that you are trying to use port 587 with your company's smtp server which is not going to work..

Port 25 keeps our traffic off other relays and because it is well-filtered, keeps the baddies out of our hair

what does this mean?

It kind of appears to say that your exchange server only accepts mail that is initiiated from your company SMPT server, how do you receive mail from EXTERNAL users? or is that a no-no.  If so I can see that Verizon's move would be a bit limiting for you but there again not being able to receive external mail is limiting too.  If this is in fact the case then the answer for your company would be to provide remote access for it's employees so that they are actually on the company network when they send and receive mail.