Cisco ASA / Comcast SMTP problem workaround
I have the problem when working out of my house that Comcast will lock down outbound SMTP on the regular ports. This may be due to the kids' computer getting infected with a virus from time to time. That is its own problem and I want to deal with it on its own. The problem I want to discuss is a workaround to Comcast blocking outbound SMTP. I have noticed at my house when I have problems with regular SMTP traffic on port 25 to my own colo servers, that my Yahoo! premium email goes through fine without problem. I have a premium Yahoo! account and use SMTP on port 465 and POP3 on 995 with SSL configured on both. The thought occurred to me that I could solve my immediate problem as well as let me send/receive email at hotels and wifi hotspots that all block regular SMTP traffic on port 25. And roll out an encrypted new service to my hosted customers. I run my own small hosting company at a colo for a handful of customer domains and several that I own. I have a Cisco ASA 5505 (security plus license) and a pair of mail servers needed for in- and out-bound SMTP. The servers are on private IP addresses behind the ASA which has static statements for the servers inside. Also, I have additional IPs available if needed for this solution. Here is my question: How do I configure my ASA (and Outlook) to: 1. Encrypt traffic between Outlook and the ASA on non-traditional SMTP and POP3 ports without using a VPN? (Using SSL just as Yahoo! does it.) 2. Leave my servers' configuration alone so that they continue to send/receive email in exactly the same way they are doing now? Summarized: How do I duplicate Yahoo! premium email service using PAT on my Cisco ASA without changing any settings on my server? Qualifiers: 1. I don't want to change the email server configurations because it is run by a control panel software and if I take it out of spec, the next update could wipe out my custom config. 2. I don't want to use a VPN client on my laptop because it takes up VPN licenses on the ASA and because a successful solution would be a boon to my customers. I believe the ASA would have to do these things: 1. Accept SSL connections on the outside interface. 2. Accept the inbound SMTP request on an arbitrary, but non-dynamic port and translate it to port 25 and send it on to the server. 3. Accept the response from the server and translate it back into the arbitrary port (from #2 above) on the remote client. 4. Do the same thing as above except for POP3. This configuration would allow customers to also configure their SMTP/POP3 clients to allow them access to email without configuring a VPN client for each one. Stated simply, I want to duplicate what Yahoo! premium email is doing between their servers and their customers like me. Any thoughts? Lorell Hathcock
On Mon, Jan 19, 2009 at 6:07 AM, <lorell@hathcock.org> wrote:
I have the problem when working out of my house that Comcast will lock down outbound SMTP on the regular ports. This may be due to the kids' computer getting infected with a virus from time to time. That is its own problem and I want to deal with it on its own.
The problem I want to discuss is a workaround to Comcast blocking outbound SMTP.
That's what port 587 is for and comcast hasnt been locking that down, eh? Have your server listen on the smtp submission port (587) as well - if you want you can use 465/smtp+ssl but that's deprecated to a large extent (though yes, I had to switch it on after I figured out my phone's push email service seven.com only supports smtps currently)
1. I don't want to change the email server configurations because it is run by a control panel software and if I take it out of spec, the next update could wipe out my custom config.
If that's cpanel there are ways to do it in the config + save it. An update wont wipe it out if you use the cpanel management console rather than edit files using vi. In fact, chances are, your cpanel box ALREADY listens on 587. For more details - and these are best practices from MAAWG, which is sort of like a nanog for mailops and antispam - very operational and relevant content there. http://www.maawg.org/port25 Oh, and RFC2476 (about port 587) and 2554 have been around for ages now. --srs
The Control Panel is H-Sphere. Quoting Suresh Ramasubramanian <ops.lists@gmail.com>:
On Mon, Jan 19, 2009 at 6:07 AM, <lorell@hathcock.org> wrote:
I have the problem when working out of my house that Comcast will lock down outbound SMTP on the regular ports. This may be due to the kids' computer getting infected with a virus from time to time. That is its own problem and I want to deal with it on its own.
The problem I want to discuss is a workaround to Comcast blocking outbound SMTP.
That's what port 587 is for and comcast hasnt been locking that down, eh?
Have your server listen on the smtp submission port (587) as well - if you want you can use 465/smtp+ssl but that's deprecated to a large extent (though yes, I had to switch it on after I figured out my phone's push email service seven.com only supports smtps currently)
1. I don't want to change the email server configurations because it is run by a control panel software and if I take it out of spec, the next update could wipe out my custom config.
If that's cpanel there are ways to do it in the config + save it. An update wont wipe it out if you use the cpanel management console rather than edit files using vi. In fact, chances are, your cpanel box ALREADY listens on 587.
For more details - and these are best practices from MAAWG, which is sort of like a nanog for mailops and antispam - very operational and relevant content there. http://www.maawg.org/port25
Oh, and RFC2476 (about port 587) and 2554 have been around for ages now.
--srs
Yeah, and that's supposed to support port 587 by default too - like most other webhosting control panel software used on pizzabox installs by lowcost webhosts around the world. Did you try something like, say, telnet localhost 587 and see? --srs On Mon, Jan 19, 2009 at 6:36 AM, <lorell@hathcock.org> wrote:
The Control Panel is H-Sphere.
If that's cpanel there are ways to do it in the config + save it. An update wont wipe it out if you use the cpanel management console rather than edit files using vi. In fact, chances are, your cpanel box ALREADY listens on 587.
participants (2)
-
lorell@hathcock.org
-
Suresh Ramasubramanian