Ideas for solving SMTP problem at work

[Garion]

I did manage to find one application that you install on your client PC which acts as a SMTP proxy. Might be worth looking into.

Edit: This free application might also work for you. It's a SMTP relay you install on your local PC. It can be configured to deliver directly or to a list of SMTP servers. Just list both your servers on it, aim your mail clients to 127.0.0.1 port 25 and watch it go.. I didn't test it at all, just looked at some of the config screens, so YMMV and no guarantees.

- G

 

[martind1]

bsobel, WE'RE BAAAAACK.

lol. ok, i guess i really didnt think too much about keeping BOTH ports open. ibeg forgivness on that one.

ok, finnaly foudn the port settings. speaking of things i neever needed to look at.


try a ssh tunnel

 

[buleyb]

Why don't you setup a VPN at work, and have the mobile users connect into that. Then they can always use the same mail servers no matter where they are or who their ISP is. This is by far the quickest solution that allows for the other factors to change at will. If VPN is a pain for you, SSH will tunnel POP3/IMAP/SMTP with no problem, and is actually easier to implement.

EDIT: You could also setup authentication on your SMTP server at work, and then open it to the outside world for use, that would solve the open relay problem, and your mobile user problem at the same time.

 

[Kilrsat]

I think a lot of people are misunderstanding the problem. Which is leading to a lot of frustration and bad suggestions.

Problem:
Some ISPs restrict traffic originating from any of their subscribers that isn't bound for the ISP's smtp.

Example:
My smtp server: smtp.jimbob.com
My ISPs smtp server: smtp.myisp.com

If I am at home, and try sending a message using my normal smtp server, it will not work. Since smtp.jimbob.com != smtp.myisp.com the traffic filtering that the ISP is doing on port 25 says, "No, you cannot send that packet."

OPs current solution:
Have users at home/on road send through ISPs smtp server, such as smtp.myisp.com

Problem with solution:
Users have to change Outlook settings depending on if they are at home, on road, or in office.

It has nothing to do with the server being "accessible" from outside the network because the server has to be public in order for anyone to receive mail that didn't originate there.

The two real solutions:
1) Have smtp server listen for incoming messages on port 25, and on an additional port (such as 26 or 2525 or 40000). This gets around the ISP blocking outbound port 25 traffic. If your server cannot listen on multiple ports, then you would investigate the various ways to get traffic sent to one port forwarded to another. In this solution the client's email client (Outlook) settings would be changed to communicate with the server on the alternate port. This could be left alone, as even when they are in the office the alternate port should still work.

2) VPN. This is a more complicated solution, and if the only problem is email connection is a very "heavy" solution. However, once you start to think about security of user accounts/email contents a VPN gets more attractive vs. having all your company's secrets sent across the internet in plain text.

The problem is quite clear, the clients cannot communicate with the server on port 25, so these are the two ways to let the client communicate on a port other than 25 and still get the desired result (they can send mail).

Its a common problem and many businesses have had to solve it already. These are the tried and true methods. (I believe the RFC for SMTP actually describes using an alternate port for client-server communications vs. server-server mail relay, its just that no one pays attention to it.) Of course the best practices for SMTP security should be followed, such as required authentication, etc.

 

[classy]

Originally posted by: Kilrsat
I think a lot of people are misunderstanding the problem. Which is leading to a lot of frustration and bad suggestions.

Problem:
Some ISPs restrict traffic originating from any of their subscribers that isn't bound for the ISP's smtp.

Example:
My smtp server: smtp.jimbob.com
My ISPs smtp server: smtp.myisp.com

If I am at home, and try sending a message using my normal smtp server, it will not work. Since smtp.jimbob.com != smtp.myisp.com the traffic filtering that the ISP is doing on port 25 says, "No, you cannot send that packet."

OPs current solution:
Have users at home/on road send through ISPs smtp server, such as smtp.myisp.com

Problem with solution:
Users have to change Outlook settings depending on if they are at home, on road, or in office.

It has nothing to do with the server being "accessible" from outside the network because the server has to be public in order for anyone to receive mail that didn't originate there.

The two real solutions:
1) Have smtp server listen for incoming messages on port 25, and on an additional port (such as 26 or 2525 or 40000). This gets around the ISP blocking outbound port 25 traffic. If your server cannot listen on multiple ports, then you would investigate the various ways to get traffic sent to one port forwarded to another. In this solution the client's email client (Outlook) settings would be changed to communicate with the server on the alternate port. This could be left alone, as even when they are in the office the alternate port should still work.

2) VPN. This is a more complicated solution, and if the only problem is email connection is a very "heavy" solution. However, once you start to think about security of user accounts/email contents a VPN gets more attractive vs. having all your company's secrets sent across the internet in plain text.

The problem is quite clear, the clients cannot communicate with the server on port 25, so these are the two ways to let the client communicate on a port other than 25 and still get the desired result (they can send mail).

Its a common problem and many businesses have had to solve it already. These are the tried and true methods. (I believe the RFC for SMTP actually describes using an alternate port for client-server communications vs. server-server mail relay, its just that no one pays attention to it.) Of course the best practices for SMTP security should be followed, such as required authentication, etc.

Oh I see. But I still don't get the headache. A simple cost effective solution is upgading to Exchange 2003, using OWA 2003 which is just about identical to Outlook 2003, connect using SSL. No need to switch settings, for a company of that size probably not a huge cost, features that they need and them some, can access from any browser, adds security, and enabling forms based authentication is about as slick as it gets and even raises the security level much more, and bypasses any port issues or isp issues. And can be used for the next 8-10 years. Its almost a no brainer.

 

[buleyb]

That is all well and good, but you can't expect to simple change port numbers and solve this. ISPs want to solve this, they can easily stop any SMTP traffic regardless of port, and I wouldn't be surprised if some already did. VPNs and SSH servers aren't a huge headache, especially if you already have access to a Windows/Linux server from outside.

This problem isn't that hard to solve guys...

 

[bsobel]

Originally posted by: buleyb
That is all well and good, but you can't expect to simple change port numbers and solve this. ISPs want to solve this, they can easily stop any SMTP traffic regardless of port, and I wouldn't be surprised if some already did. VPNs and SSH servers aren't a huge headache, especially if you already have access to a Windows/Linux server from outside. This problem isn't that hard to solve guys...

Yes, you can expect the port change to deal with this. The ISP's goal is to block spammers from hitting open relays, that goal is accomplished by blocking port 25. There are so few mail servers available on alternate ports that the risk profile for the ISP is fine, they'll allow the traffic.

Your right, the problem isn't hard to solve, and a port forward is (by far) the easiest solution.

Bill

 

[TechnoPro]

I have encountered the same problem personally. It did become a pain to manuall edit the SMTP server information depending on my location. My low tech solution was to create three e-mail accounts in Outlook, identical except for each one had specific SMTP settings. Each account was named accordingly: Office / Travel / Home. There is 1 minor nuissance, though. When I am on the road for example, and recieve an e-mail through the Travel account, should I draft a response and not send it, waiting until I return to the office, I must instruct Outlook to send it through the Office account. It's proven much easier for me to to do it this way than it was to manually edit the settings each time.

 

[VirtualLarry]

Originally posted by: martind1
sorry bsobel. i didn't mean to offend someone who apparently is just looking to start fights. excuse me for tryign to find out more information. I guess trying to be helpful is just plain offensive. Since this isnt your thread, maybe you should just stop reading it.

I guess I am just a silly guy though.

Uhm, if you spent some more time around here, bsobel is probably one of the least likely people to "look to start a fight", believe me.

He was being helpful, I think that he was just annoyed at your apparently lack of understanding of the actual original problem. I would have proposed the same things he did, actually, if I had seen this thread earlier. I haven't been around AT for a few days.

Btw, I am a Juno subscriber, and I can confirm that you are forced to use smtp.juno.com to send mail outbound, while on their network. Verizon is even worse, you have to authenticate to their servers before being allowed to send mail, even when you are on their network. That seems excessive to me.

 

[VirtualLarry]

Originally posted by: bsobel
Do you have a firewall in front of the mail machine? If so, can it be configured to port forward another port to 25 (back to the use port 26 or 2626 or some random port# question). If not, there are a number of apps that will run on the box and provide relay (WinIpRelay, Ip*Works Secure Tunnel, etc). Most of those don't scale to lots of users, but for a small office they would be fine.
Bill

What about using Netcat for the job? It does port forwarding. (Other than the fact that it could be considered a "hacker tool" by some.)

 

[bsobel]

Verizon is even worse, you have to authenticate to their servers before being allowed to send mail, even when you are on their network. That seems excessive to me.

I'm of the school that all ISP should require authentication, helps in many situations know whom to blame if spam goes out. Verizon requires this today since they have hot spot services, but it goes away towards keeping home user machines that have zombies on them from spreading (althought I'm sure the zombies will start ferriting out the authent info), additionally it helps with customers with open wireless networks (drive by spamming actually does happen...)

Bill

 

[horhey]

Originally posted by: TechnoPro
I have encountered the same problem personally. It did become a pain to manuall edit the SMTP server information depending on my location. My low tech solution was to create three e-mail accounts in Outlook, identical except for each one had specific SMTP settings. Each account was named accordingly: Office / Travel / Home. There is 1 minor nuissance, though. When I am on the road for example, and recieve an e-mail through the Travel account, should I draft a response and not send it, waiting until I return to the office, I must instruct Outlook to send it through the Office account. It's proven much easier for me to to do it this way than it was to manually edit the settings each time.

I two had this same problem at work. My solution was similar to this one...
I just created 2 profiles in outlook one for office and one for road. I configured the SMTP settings accordingly and used the same pst file for the 2 profiles. And I setup outlook to ask the user to select the profile they want when they start outlook. Very simple solution. :beer:

 

[VirtualLarry]

Originally posted by: bsobel

Verizon is even worse, you have to authenticate to their servers before being allowed to send mail, even when you are on their network. That seems excessive to me.

I'm of the school that all ISP should require authentication, helps in many situations know whom to blame if spam goes out.

I disagree, only on the basis that if the sending client's IP is on Verizon's network already, then they have the assigned IP, and can use that to track down the sender, since they are on their own network. Outside the network, sure, require authentication. But inside?

But requiring auth while already on the internal network, actually creates a security risk. There was a thread over on BBR about someone handling internet-access for a hotel, with a Verizon business DSL line, and they have had guests asking for the DSL line's username/password, in order to auth to be able to send outgoing e-mail. What a mess! (Obviously, I replied and told them that giving out the username/password is a very bad idea.)

Security is good, but when it starts to affect availability of services unnecessarily, one has to step back and ask if policies are being implemented correctly. In this case, I think that VZ's policy is a bit bone-headed. No other ISP does things this way.

(In short, why is VZ requiring double-auth from the users? Firstly with PPPoE/PPP to access VZ's network, and secondly to access services available on the internal network? Once should be enough.)

Originally posted by: bsobel
Verizon requires this today since they have hot spot services, but it goes away towards keeping home user machines that have zombies on them from spreading (althought I'm sure the zombies will start ferriting out the authent info), additionally it helps with customers with open wireless networks (drive by spamming actually does happen...)

I totally disagree with that. One, don't the users of the VZ WiFi hotspots still have to auth using PPPoE? (Have no idea, but since VZ is moving their entire DSL base to use it, and dial-up users already have to use PPP, and FIOS will be using PPPoE, then I am assuming that WiFi users will too, just to make the auth database orthagonal to the access services used.)

Second, how in the world can "zombies" spread via the SMTP port? That's really not a valid reason for requiring auth, while on their own network.

PS. Still curious if you think netcat would be a practical/workable solution to allowing the SMTP server to listen on multiple ports.

 

[bsobel]

I disagree, only on the basis that if the sending client's IP is on Verizon's network already, then they have the assigned IP, and can use that to track down the sender, since they are on their own network. Outside the network, sure, require authentication. But inside?

The sending IP is useless if someone has piggybacked on the connection (e.g. connected to an open access point). From my home I have access to 4 of my neighbors OPEN access points. When I start sending spam over their IP, should I rely on their authentication? No. (Should their access points be open, also a no, but lets not make the isp track down each stupid user WHILE they are being used to send millions of spams).

Security is good, but when it starts to affect availability of services unnecessarily, one has to step back and ask if policies are being implemented correctly. In this case, I think that VZ's policy is a bit bone-headed. No other ISP does things this way.

You'll be seeing this more and more.

(In short, why is VZ requiring double-auth from the users? Firstly with PPPoE/PPP to access VZ's network, and secondly to access services available on the internal network? Once should be enough.)

One validates the link, the second de-mux's the users on the link.

Second, how in the world can "zombies" spread via the SMTP port? That's really not a valid reason for requiring auth, while on their own network.

I'm talking about machines that have zombies on them today that are being used to send SPAM. The zombies are being spread via traditional exploits, not port 25. However, they are responsible for ALOT of spam generating from the ISP networks.

PS. Still curious if you think netcat would be a practical/workable solution to allowing the SMTP server to listen on multiple ports.

Probably, but just forwarding a second port at the router will be the easiest.

Bill

 

[abellamy]

If you want a much simpler solution that works on every ISP I have tested it with - see AuthSMTP

VPN's etc are great but if you just want to solve the problem of outgoing mail that is much simpler!

 

[vi edit]

oops..nevermind

 

[azev]

Ok.... I have experienced the same problem before, and here is the solution that I used:

I created mutiple profile in outlook such as home, on the road, Corporate Office, etc. Each profile is setup with its respective smtp server, and All profile pointed to the same .pst (outlook data file). Depending where they are; when your user opens outlook he/she can choose what profile to use

With this setup your user only have to choose which profile to use depending if they are at home, on the road (using juno dial up), or in the office.

The good thing about this setup is that anything that they did in one profile, will always be reflected in the other profiles. All because each profile pointing the same outlook data file.

These setups works really well in my old company and the I got the Users stop complaining.

Good luck man, I hope these will work for U.

 

[abellamy]

That is a lot more effort to setup - especially if the user has multiple email addresses.

AuthSMTP is a simpler solution and works with other email programs that do not support multiple profiles etc.