Help me argue against AT&T blocking my outbound SMTP traffic


Recommended Posts

For about 6 months, I've had two lines coming into my house.  AT&T (Uverse) for TV, phone, and internet, and Comcast Internet Only (had a great deal on it).   Comcast recently jacked up the rate due to a promotion ending, and I don't want to pay 65$ a month plus the 200 something for AT&T, so I'm dropping Comcast.    I have a number of machines on my network, that I've switched over to the AT&T line (just plugged the router they were connected to to the AT&T box).   and now I find that I'm having trouble sending email from Exchange.

 

 

Before when I was on comcast, I had no issues sending/receiving from Exchange to gmail, yahoo, etc.  The moment I swapped the line, I could only receive, but not send.    I did some research and saw that it looks like AT&T Uverse blocks SMTP traffic, so I called up AT&T and first got the Philippines, which was no help, then I got someone in India, who didn't even know what Exchange was.   They claim they don't block any ports (except neither could tell me what port SMTP ran on), yet when I try doing some basic tests, I get failures.

 

Here's what I know:

 

1.) So far, can only successfully send to the AT&T account they set up.  Gmail, my work email, yahoo...nothing else works.  No problem receiving inbound email though

 

2.) nslookup for gmail:

C:\Users\Administrator>nslookup -query=mx gmail.com
Server:  www.asusnetwork.net
Address:  192.168.0.1


Non-authoritative answer:
gmail.com       MX preference = 5, mail exchanger = gmail-smtp-in.l.google.com
gmail.com       MX preference = 20, mail exchanger = alt2.gmail-smtp-in.l.google.com
gmail.com       MX preference = 10, mail exchanger = alt1.gmail-smtp-in.l.google.com
gmail.com       MX preference = 30, mail exchanger = alt3.gmail-smtp-in.l.google.com
gmail.com       MX preference = 40, mail exchanger = alt4.gmail-smtp-in.l.google.com

If I ping these, i get a reply, but if I try to telnet to any of them against port 25, I get timeouts.  

telnet smtp.gmail.com 25
Connecting to smtp.gmail.com...Could not open connection to the host, on port 25: Connect failed

So I try using one of AT&T's servers

telnet frf-mailrelay.att.net 25
220 att.net - -Maillennium ESMTP/MULTIBOX frfwmxc14 #1036

I then try SMTPS on gmail:

telnet smtp.gmail.com 587
220 mx.google.com ESMTP g1sm2482249oeq.6 - gsmtp

so SMTPS works fine, but not SMTP.  telneting to smtp.gmail.com 465 also seems to connect, but gives me a blank screen

 

Last but not least, I grab a vm thats running ubuntu behind the AT&T box, and run tcptraceroute.  results:

evan@apt-proxy:~$ sudo tcptraceroute smtp.gmail.com 25
Selected device eth0, address 192.168.0.113, port 56215 for outgoing packets
Tracing the path to smtp.gmail.com (173.194.79.109) on TCP port 25 (smtp), 30 hops max
 1  192.168.0.1  0.431 ms  0.340 ms  0.376 ms
 2  192.168.1.254  1.484 ms  0.901 ms  0.703 ms
 3  * * *
 4  * * *..... (and so forth)

so it's clear that it dies right outside the 2Wire box from AT&T.   

 

Besides this, is there anything ELSE i can try to get more evidence against at&t?  I found this link http://forums.att.com/t5/Features-and-How-To/SMTP-outbound-blocked/td-p/2544419   that seems to help, but the links to the at&t social media connect guys doesn't work.  I'm just looking for any more tests I can do to prove AT&T is blocking port 25 outbound.

Link to comment
Share on other sites

I've had U-Verse and my Mom has had it too, we've never had any issues sending emails, Gmail or Exchange emails

 

Your issue is possibly something else, I would start at your router config, possibly redo it, so far I doubt the problem lies on AT&T's side, not yet

Link to comment
Share on other sites

im pretty sure you don't need to prove they block port 25,because they probably do and will happily admit it. some ISPs block this outbound port to stop spammers from using their network to send mail. if you call them, you shouldn't have a problem with them unblocking it,they most likely will.

Link to comment
Share on other sites

im pretty sure you don't need to prove they block port 25,because they probably do and will happily admit it. some ISPs block this outbound port to stop spammers from using their network to send mail. if you call them, you shouldn't have a problem with them unblocking it,they most likely will.

Good luck with that.

 

AT&T does in fact block port 25 outbound. And if you tell them you're running and Exchange Server they'll probably tell you that they don't support servers on their home service.

 

Switching to a business account will allow you to unblock the port -- but that may cost more.

 

I'm actually surprised because Comcast does the same thing. They'll unblock it for you, but it'll re-block at a later date automatically. My business partner has Comcast (I have Comcast Business) and this has been our experience.

 

Unless something has changed, AT&T won't unblock it -- it's one of the reasons I dropped DSL as my backup ISP.

 

-Forjo

Link to comment
Share on other sites

Are you sure they don't want you to use their SMTP servers instead of your own?

 

I know this has previously been common with ISPs in the UK, until, like yourself, people had problems and didn't know how to change their SMTP servers.

  • Like 1
Link to comment
Share on other sites

Are you sure they don't want you to use their SMTP servers instead of your own?

 

I know this has previously been common with ISPs in the UK, until, like yourself, people had problems and didn't know how to change their SMTP servers.

 

ATT's smtp servers telnet fine...everything else doesn't, combine that with the 587 working on google, but not 25, along with successful internal telneting to my smtp port, along with the fact that the only thing i did was move my router over to the AT&T uverse modem (verified uverse firewall was set to allow 25 out), leads me to believe in fact they are blocking it.   I'm going to have to try and get the supreme leader of tech support on the phone because everyone I talk with has no clue what SMTP, Exchange, or anything else remotely technical is.  "Oh let me run some tests on your modem"

Link to comment
Share on other sites

Good luck with that.

 

AT&T does in fact block port 25 outbound. And if you tell them you're running and Exchange Server they'll probably tell you that they don't support servers on their home service.

 

Switching to a business account will allow you to unblock the port -- but that may cost more.

 

I'm actually surprised because Comcast does the same thing. They'll unblock it for you, but it'll re-block at a later date automatically. My business partner has Comcast (I have Comcast Business) and this has been our experience.

 

Unless something has changed, AT&T won't unblock it -- it's one of the reasons I dropped DSL as my backup ISP.

 

-Forjo

 

hes not running a server,he just wants to send mail. his email client is sending a request to his mails smtp server to connect,but since outbound port 25 is blocked,no connection can be made. hes not opening a port of his end or hosting any services, at least according to his post. some isps will open the port for their clients,its just closed by default.

Link to comment
Share on other sites

I have Uverse (residential) and also run Exchange. AT&T absolutely blocks port 25 by default. You can definitely have them remove the block though. I have done this for myself and a few clients as well. I used to have a direct number to tier 2 support and they would immediately know what I was talking about and removed it. It's a simple check box on their end.

 

I haven't read the whole thread just felt like sharing.

Link to comment
Share on other sites

 

I used to have a direct number to tier 2 support and they would immediately know what I was talking about and removed it. It's a simple check box on their end.

Exactly. Call and get the tech dept and ask for tier 2/level 2 tech support from the get and they should forward you. They may be 9-5 scenario compared to 24hr callcenter but they know what they are doing. I do this with my internet co (actually level 4 if you can believe it) and they have no problem talking technical mombo jumbo and helping you with specific issues.

Link to comment
Share on other sites

ISPs usually block port 25 to stop spam except for their own SMTP (AT&T SMTP in your case). If your computer is infected with a virus, it could be turned into a spam server.

Link to comment
Share on other sites

hes not running a server,he just wants to send mail. his email client is sending a request to his mails smtp server to connect,but since outbound port 25 is blocked,no connection can be made. hes not opening a port of his end or hosting any services, at least according to his post. some isps will open the port for their clients,its just closed by default.

Oh? He specifically mentions Exchange. If he doesn't have an Exchange Server he should be connecting via ActiveSync or RPC over HTTP. Either way SMTP wouldn't be used and wouldn't be a problem.

 

-Forjo

Link to comment
Share on other sites

hes not running a server,he just wants to send mail. his email client is sending a request to his mails smtp server to connect,but since outbound port 25 is blocked,no connection can be made. hes not opening a port of his end or hosting any services, at least according to his post. some isps will open the port for their clients,its just closed by default.

Heh... I am running Exchange.  worked great on comcast..not so much on att.  Guess im gonna have to call them AGAIN.  ugh

Link to comment
Share on other sites

Surprise your Exchange works in that mine doesn't even allow "residential IPs" to connect over port 25. If you aren't static and trying to use 25 you get blocked, only 587 or 465 will work for residential IPs. This Is standard I thought to even Gmail and such. So I'm surprised you can send/receive emails on a dynamic IP range.

Link to comment
Share on other sites

I've had this problem with several employees on ATT using our business email from outlook.  Just set exchange up to use a different port.  I've setup our mail server to accept SMTP traffic from port 26 which works fine on the ATT network.

 

Their never going to change this policy and if you want to solve the problem just adjust your approach.

Link to comment
Share on other sites

You CAN NOT send out on 25 from most major players.. If comcast does not block they should, and even if they don't you can not send to any major players that do any sort of filtering based up you ip block (home user) Glad to see ATT is now blocking it as well.. There is NO reason for home connection to be able to send directly outbound on 25, there just isn't!! Now I don't like filters either, but the spammers ruined it for everyone!! And the only reason they could do that is idiot users actually opening and even looking at email that says **** like

Drugstore (Viagra,Cialis) 180 pills 174$ Secure and Trusted

For example - I'm on comcast, and I use to be able to telnet to aol mx for example... Just tried and seems I am blocked now? Good about time they did that!! But here example point I was going to make by actually connecting to aol.com mx from my home connection.

Example error you would coming from an IP that should not be sending mail.

Trying 205.188.156.193...

Connected to mailin-03.mx.aol.com.

Escape character is '^]'.

220-mtain-dl03.r1000.mx.aol.com ESMTP Internet Inbound

220-AOL and its affiliated companies do not

220-authorize the use of its proprietary computers and computer

220-networks to accept, transmit, or distribute unsolicited bulk

220-e-mail sent from the internet.

220-Effective immediately:

220-AOL may no longer accept connections from IP addresses

220 which no do not have reverse-DNS (PTR records) assigned.

Here is the thing to run a email server, there are few rules you need to follow. One as you can see above is your PTR should actually match the forward you present to the server your wanting to send mail too.. So for example if my server is mail.domain.com -- when you look up its IP via PTR it should return mail.domain.com

Another rule most major players play by is your IP block your coming from can not be listed as dynamic or used to give IPs address to home users, etc..

If you want to run smtp server out of your house - you want to send email directly your going to have to follow the rules.. If your on a dynamically assigned IP from a major ISP, these are going to be blacklisted..

example

554 RTR:DU

AOL uses the Spamhaus PBL to block mail from dynamic and residential IP addresses. Per our E-mail Guidelines, we do not accept mail from such addresses. If you believe your IP is listed in error, please contact your ISP directly and have them update their listing with the PBL. If...

your ISP reports that the IP is correctly listed in the PBL, and that you should be able to send mail from it, or

you were recently assigned IPs, have changed the rDNS on them, and allowed 48-72 hours for propagation time...and you are still getting the error, please open a support request.

Home internet connections are normally not meant for you to run services such as email, ftp, http servers that provide services to the public net.

And even if their AUP does not deny you the ability to run such services, most major players will not accept mail from you if your IP is listed as a home/residential type connection.

If you want to run mail services out of your house, where you actually send email directly to accepting smtp servers for a domain. Your going to want a valid PTR that matches your forward you present to them, and your also going to need to have your IP not listed as a home user type connection.

Normally there is no block in accepting email, so you could use a smart host to send your mail.. Either your isp mail server, but they normally don't allow you to send from address other than your own. But there are plenty of services will be a smart host for you.. where you send them your outgoing mail, and they send it on for you (relay) where their servers meet the requirements of sending mail on the public net. And normally you can talk to them on a port other than 25, which again is quite often blocked outbound from major ISPs.

There really is no valid reason to run email services out of your house on user type connection.. Its not worth the time, its not saving you any money - having to have box open 24/7/365 - dealing with security issues.. if you don't know what your doing your going to be a spam relay very quickly.

It much easier and safer and cheaper to just run the server at a host, be it a vps, be it a dedicated server, be it a webhost even - they can accept mail for your domain(s) and send for them as well.

If you really want a exchange server at your house -- get a cheap $15 a year vps and use it to route your mail for your domains, and just have your exchange server pick up and relay mail through it.

Good luck though.. I figured out its pointless hosting my own mail out of my home connection about 10+ years ago ;)

Link to comment
Share on other sites

Oh? He specifically mentions Exchange. If he doesn't have an Exchange Server he should be connecting via ActiveSync or RPC over HTTP. Either way SMTP wouldn't be used and wouldn't be a problem.

 

-Forjo

yeah youre right.for some reason i completely misread exchange as outlook. not enough coffee ;) but yeah,some isps do block connections to remote smtp servers from software like outlook. but my bad,servers are mostly a big no no like you said with isps

Link to comment
Share on other sites

Is your port 25 unencrypted?  Why would anyone want to send email through an unencrypted port 25 connection anyway?

 

There's a reason Gmail's SMTP only uses ports 587 (TLS) and/or port 465 (SSL).  Port 25 is way too old school & unsecured thus is generally blocked by default.  If you really want to pursue setting that up, at least do it correctly & lock it down with TLS/SSL.

Link to comment
Share on other sites

Congratulations your mail client has an encrypted path to the mail server but did you know that the mail servers still talk to each other on port 25? So that means even though you encrypted your leg it eventually is put on an unencrypted leg.

Link to comment
Share on other sites

Congratulations your mail client has an encrypted path to the mail server but did you know that the mail servers still talk to each other on port 25? So that means even though you encrypted your leg it eventually is put on an unencrypted leg.

 

He doesn't need to be concerned about how servers do or do not talk to each other. All he needs to be concerned about is getting his email to his SMTP server, and I haven't seen anything in this thread that says he can't do that.

 

I wish all ISPs blocked port 25 personally - there's no need to use it, and if someone get's a virus from going to a random porn site, I'd prefer their machine wasn't able to help contribute to the massive amounts of email spam that you get.

Link to comment
Share on other sites

He doesn't need to be concerned about how servers do or do not talk to each other. All he needs to be concerned about is getting his email to his SMTP server, and I haven't seen anything in this thread that says he can't do that.

 

I wish all ISPs blocked port 25 personally - there's no need to use it, and if someone get's a virus from going to a random porn site, I'd prefer their machine wasn't able to help contribute to the massive amounts of email spam that you get.

 

 

He wants to be able to send out from his smtp server on his site that is on the ATT Uverse network. 

 

 

 

Before when I was on comcast, I had no issues sending/receiving from Exchange to gmail, yahoo, etc.  The moment I swapped the line, I could only receive, but not send.    I did some research and saw that it looks like AT&T Uverse blocks SMTP traffic, so I called up AT&T and first got the Philippines, which was no help, then I got someone in India, who didn't even know what Exchange was.   They claim they don't block any ports (except neither could tell me what port SMTP ran on), yet when I try doing some basic tests, I get failures."

 

He has to be concerned with how servers talk to each other because how I am reading this, he has an Exchange Server (which is a mail server) on premise that is connected to the ATT network to transmit mail messages.  The only way around this is to relay messages, as budman stated, to a source that can relay messages.  A mail relay probably won't use a default communications port to accept the incoming messages to get around the port 25 block.

 

Another solution would be to upgrade to business class with static addressing, they shouldn't block anything on business class with a static address block.

Link to comment
Share on other sites

So took a quick look, since I am on comcast and use to be able to outbound on 25..

http://customer.comcast.com/help-and-support/internet/email-port-25-no-longer-supported/

So this makes sense why blocked now, date on that is july 19th, so even if you would of kept comcast you would of been out of luck..

In the article they list

Comcast does not support port 25 for the transmission of email by our residential Internet customers. Much of the current use of port 25 is by computers that have been infected by malware and are sending spam without the knowledge of the users of those computers.

Many ISPs, both in the USA and around the globe, block port 25. These include:

Verizon

AT&T

NetZero

Charter

People PC

Cox

EarthLink

Verio

Cablevision

All Japanese ISPs

France Telecom / Orange

Link to comment
Share on other sites

I work for an ISP and we won't unblock it. Hardware we currently have in place doesn't allow one off exceptions. We do however allow normal SMTP traffic on 587 as the OP mentioned, not just SMTPS. From my understanding of ISP's I've personally delt with, this is common practice in Canada if you are not using the ISP's SMTP servers.

Link to comment
Share on other sites

I spent two hours trying to explain to an 8 year, level 1 tech at AT&T that they were blocking the IP to my website. I could access it from any other connection that that was not AT&T. I finally gave up as it appears they hire inadequate high level techs that just don't have a clue.

 

I finally contacted my hosting site and they changed my IP and in about an hour I had a connection on the AT&T network.

Link to comment
Share on other sites

level 1 is basically help desk, the higher the number the more knowledgeable they are.  level 1 is just about the equivelant as talking to a wall that is about to crumble on top of you, of which you are trying to explain why not to cruble on top of you in hopes that it will understand your reasoning not to crush you...its a falling wall, it doesn't have ears, but it will crush you.

Link to comment
Share on other sites

This topic is now closed to further replies.