Blocking port 25 on Fiber connections

Internet access discussion, including Fusion, IP Broadband, and Gigabit Fiber!
14 posts Page 1 of 2
by dkurn@sonic.net » Tue Dec 11, 2018 4:46 pm
I'd love to convert to fiber, but SONIC is blocking incoming port 25. I operate my own mail server currently in Fusion, and wish to continue doing it. If the block is to protect the end-user from mail-spam, I would be happy to say that I can handle the spam already. I am assuming that a fiber customer gets a public IP address.

Is there a good technical reason that port 25 (SMTP) is blocked? It doesn't require a "fixed" IP address; I use DYNDNS to accommodate address changes, unless they occur hourly. Surely business customers would want port 25.

Please advise.

David
by dane » Tue Dec 11, 2018 5:27 pm
Yes, our fiber service is dynamic IP only, and current best practice for residential/dynamic IPs is to block port 25. For more detail, see: https://www.m3aawg.org/sites/default/fi ... ec0511.pdf
Dane Jasper
Sonic
by sniper1rfa » Wed Dec 12, 2018 9:51 am
How are you successfully delivering mail to recipients with a residential IP? I would expect your email to end up in spam a lot with a home email server...
by cmeisel » Wed Dec 12, 2018 10:37 am
Yes, blocking port 25 became normal years and year ago. This port should really never be used anymore. Instead ssl ports should be used for sending 465 or 587 (no idea if this is possible with sonic). Running your own mail server is so not practical not secure at all and makes mail delivery extremely unreliable. Especially if you used port 25 so far.
by msandrof » Thu Dec 13, 2018 8:08 am
Port 25 is still the relay port between all MTAs throughout the world. Blocking 25 makes it difficult, though not impossible, to run your own MTA. 587 is used by clients for email submission and almost always requires using STARTTLS and authentication. Port 465 is rarely used anymore for email (the port has been reassigned).
by cmeisel » Thu Dec 13, 2018 10:02 am
465 is very widely used and making a complete comeback :)

https://tools.ietf.org/html/rfc8314
by ackley1648 » Thu Nov 07, 2019 8:01 am
I understand the "dial-up" argument against SMTP, but if 587 and 465 itself are "making a comeback" then why does port 25 make a difference any more? You allow 587 and 2525 which is another basic work-around a lot of ISP's are deploying.

If ISP's are going to get together and just make it difficult for people to send mail (using dynamic IP), they should universally Layer 7 block outgoing plain text, non-authenticated SMTP transactions over any port. Otherwise its quite useless blocking port 25 by itself, even given the answers in this very post. I think the intent here was lost in the fact people just started circumventing an obviously stupid rule.

I would like to see a minimum of an opt-in scenario, where I can open a ticket and have port 25 unblocked. This at least would serve to put the customer and Sonic themselves on notice we would be sending mail.
by sysops » Thu Nov 07, 2019 3:39 pm
cmeisel wrote:Running your own mail server is so not practical not secure at all and makes mail delivery extremely unreliable.
I don't think it is fair to say that running your own mail server is "not secure" or that it makes mail delivery extremely unreliable. I've been self-hosting email for 15+ years with 0 compromise on anyone's account (self, friends, family) and delivery has been extremely reliable, both inbound and outbound.
ackley1648 wrote:If ISP's are going to get together and just make it difficult for people to send mail (using dynamic IP), they should universally Layer 7 block outgoing plain text, non-authenticated SMTP transactions over any port. Otherwise its quite useless blocking port 25 by itself, even given the answers in this very post. I think the intent here was lost in the fact people just started circumventing an obviously stupid rule.

I would like to see a minimum of an opt-in scenario, where I can open a ticket and have port 25 unblocked. This at least would serve to put the customer and Sonic themselves on notice we would be sending mail.
With the widespread adoption of SMTP auth and SSL/TLS encrypted connections, there is virtually no reason port 25 needs to be open for residential customers. Reason being, port 25 is what mail servers on the internet use to deliver mail to each other and this is not likely to change any time too soon. Port 25 allows mail to be moved between providers without any authentication. Sonic connects to Gmail's servers over port 25 and says I have mail from this Sonic user for that Gmail user, without any authentication.

Trying to deliver mail from a dynamic IP address without proper forward and reverse DNS for sending mail will almost certainly be rejected by modern mail servers and result in negative reputation for Sonic IP space. So opening the port wont do much good except for increase the possibility of spam originating from your network if a device gets compromised and used to spam.

Unless you run your own server, there's no need for port 25 anymore. Simply use 465/587 with SMTP auth and you can send from anywhere to anyone.

Unfortunately, for those of us simple residential users who do still want to keep our own emails in our own possession and not in the hands of a 3rd party where they can be accessed without your authorization, we can't do it with Sonic since static IP (and therefore custom RDNS) is not as easy of an option as it used to be. Sure there are workarounds but they are more complicated and likely result in having to trust your mail to first be relayed through another hosting company before being forwarded to your home system.
Proud Sonic customer since 1999. Ask me about internet privacy, VPN, anonymity and security.
by ewhac » Fri Nov 08, 2019 2:08 pm

Code: Select all

$ dig ewhac.net mx

; <<>> DiG 9.11.3-1ubuntu1.10-Ubuntu <<>> ewhac.net mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10204
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 6

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ewhac.net.			IN	MX

;; ANSWER SECTION:
ewhac.net.		86400	IN	MX	10 ewhac.net.

;; AUTHORITY SECTION:
ewhac.net.		172800	IN	NS	ns3.pairnic.com.
ewhac.net.		172800	IN	NS	ns4.pairnic.com.

;; ADDITIONAL SECTION:
ewhac.net.		86400	IN	A	173.228.113.24
ns3.pairnic.com.	88904	IN	A	216.92.3.93
ns4.pairnic.com.	88904	IN	A	216.146.192.245
ns3.pairnic.com.	88904	IN	AAAA	2607:f440::d85c:35d
ns4.pairnic.com.	88904	IN	AAAA	2607:f441::d892:c0f5

;; Query time: 47 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Fri Nov 08 13:09:25 PST 2019
;; MSG SIZE  rcvd: 205
Mr. Jasper, this is a problem. I've had static IP with no port blocking forever. I had it with 100kbit SDSL service through Best.com (long since subsumed by Verio), I had it through Covad (nee Speakeasy), and I've had it through you on Fusion DSL. Now you're telling me that not only can't I have it on fiber, but I also can't run the services I've been running for over 20 years, without incident.

You've been puzzlingly circumspect on the topics of static IP and IPv6 support, despite clear interest expressed by users for years. Your responses over that time have amounted to, "We don't have it (yet)," but never once have you explained why you still don't have it (yet).

It's my view that there is still value in individuals running their own servers -- privacy, experimentation, tinkering, or simply getting an eyeful for just how many phenomenal jerks are out there trying to hammer on your poor little mail server ("Well, it rejected my message the last 5,000 times I submitted it over the last 60 seconds. Let's try hammering it 10,000 more times and see if one gets through..."). As just one contemporaneous example, I think there's a chance you're going to see a rising interest in people standing up their own Mastodon servers.

The justifications for port 25 blocking for the hoi polloi are obvious; the justifications for not offering static IP or workable alternatives for advanced users are far less so. We want to understand this issue. What more can you tell us without divulging confidential business details?
by sysops » Mon Nov 11, 2019 10:38 am
ewhac wrote:Mr. Jasper, this is a problem. I've had static IP with no port blocking forever. I had it with 100kbit SDSL service through Best.com (long since subsumed by Verio), I had it through Covad (nee Speakeasy), and I've had it through you on Fusion DSL. Now you're telling me that not only can't I have it on fiber, but I also can't run the services I've been running for over 20 years, without incident.
Fusion DSL with static IP should not have port 25 being blocked in either direction. I'm able to telnet in on port 25 to your server using the dig info from your previous post. Are you still seeing outbound 25 blocked? If so, I'd email support as something is likely broken.
Proud Sonic customer since 1999. Ask me about internet privacy, VPN, anonymity and security.
14 posts Page 1 of 2

Who is online

In total there are 31 users online :: 1 registered, 0 hidden and 30 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: Google [Bot] and 30 guests