Resold AT&T Gigabit blocked ports?

[tquiggle]

I currently have Comcast 100MB internet AND Fusion ADSL from Sonic. I use the Sonic service for voice and a static IP address with a DNS registration. I rely on having several ports, including 22 and 25, open on my Sonic ADSL line.

Sonic can now resell AT&T's gigabit fiber at my address! I'd love to dump Comcast and upgrade to GigE from Sonic. I know I can't get a static IP (boo hiss) and will need to dynamically update my DNS every time I get reassigned via Sonic's REST API, but I can script that. Since Sonic's GigE is delivered over the AT&T fiber network, will AT&T's network port restrictions be applied?

Tom

[gtwrek]

As a current ATT customer (hoping to come back to sonic eventually), I can confirm that port 22 is open. (Although I've recently mapped it up to a higher port just to declutter my logs).

Can't comment on 25, as I don't manage my own email.

Regards,

Mark

[sysops]

I have a Pace5268 from AT&T, and port forwarding to a DMZPlus device does not work (not that you'd want to expose port 22 to the internet). This particular modem seems to use port 22 for some kind of management from AT&T. That might not be the case for other Fiber modems like the Arris. The easy solution is to use a high numbered port for SSH which will at least prevent you from being brute forced thousands of times per day (in my experience).

Outbound port 25 will be blocked so you won't be able to run your own mail server, and you won't be able to set up a PTR record anyway so many MTAs will reject your mail. To deal with that I would suggest something along the lines of the following:

Get a cheap VPS in the cloud and run your favorite MTA on it to use for MX and outbound delivery.

Rather than have the home server send mail from trusted/authenticated users to the internet, have it "smart host" outbound mail (sent through your dynamic DNS address) to your VPS which will then do delivery.

Similarly, have all inbound mail from the cloud server relay mail for trusted domains to your home server at it's dynamic DNS address (over TLS on a port like 465).

This way, you still get the benefit of keeping your mail truly in your possession, but have some redundancy. The MTA will queue mail if the home server is unavailable, and you can keep the home IP slightly more private since.

I use a similar set up with Exim for something else but it can apply perfectly to this situation.

With this configuration, you will want everything between your home server and the VPS to use TLS.

Code: Select all

(internet email) ==(TLS)==> VPS Server MX ==(TLS)==> (home server port 465 dyn dns) ==> local delivery

(your mail client) ==(TLS)==> (home server dyn dns 587) ==(TLS)==> VPS Server trusted relay (port 465) ==> (remote host  MTA)