[ale] Bellsouth to Speakeasy?

John Wells jb at sourceillustrated.com
Sat Jan 25 13:48:20 EST 2003 

I agree there seems to be some confusion here.

Here's what I understand:

You will not have packets outbound from your mail server with source port
25 *unless* those outbound packets are in response to a connection from
the outside.  Port 25 when regarded with SMTP is a *listening* port, not a
sending port, unless the packets are reponding to a connection initiated
when the smtp daemon *hears* some incoming packets with destination port
of 25 that ask for a session to be created.

So, it makes no sense to say they will block your source port from going
anywhere except to their smtp server, because I would never have a packet
with source port of 25 going to their smtp server (unless their smtp had
requested the connection).  I would have packets with *destination* ports
of 25 going to their smtp server, but the source port a higher, randomly
chosen port number.

As an example, let's take a look at tcpdump from my mail server.

First, an outgoing mail:

13:43:29.636433 192.168.2.4.49829 > 205.152.58.136.25: S
4206921088:4206921088(0) win 5840 <mss 1460,sackOK,timestamp 566909243
0,nop,wscale 0> (DF)
13:43:29.658558 205.152.58.136.25 > 192.168.2.4.49829: S
365776066:365776066(0) ack 4206921089 win 9800 <nop,nop,timestamp 55789175
566909243,nop,wscale 0,mss 1412> (DF)
13:43:29.658642 192.168.2.4.49829 > 205.152.58.136.25: . ack 1 win 5840
<nop,nop,timestamp 566909254 55789175> (DF)
13:43:29.685673 205.152.58.136.25 > 192.168.2.4.49829: P 1:131(130) ack 1
win 9800 <nop,nop,timestamp 55789178 566909254> (DF)
13:43:29.685742 192.168.2.4.49829 > 205.152.58.136.25: . ack 131 win 5840
<nop,nop,timestamp 566909268 55789178> (DF)
13:43:29.700934 192.168.2.4.49829 > 205.152.58.136.25: P 1:29(28) ack 131
win 5840 <nop,nop,timestamp 566909276 55789178> (DF)
13:43:29.721231 205.152.58.136.25 > 192.168.2.4.49829: . ack 29 win 9800
<nop,nop,timestamp 55789182 566909276> (DF)
13:43:29.726234 205.152.58.136.25 > 192.168.2.4.49829: P 131:227(96) ack
29 win 9800 <nop,nop,timestamp 55789182 566909276> (DF)
13:43:29.726535 192.168.2.4.49829 > 205.152.58.136.25: P 29:113(84) ack
227 win 5840 <nop,nop,timestamp 566909289 55789182> (DF)
13:43:29.767298 205.152.58.136.25 > 192.168.2.4.49829: P 227:379(152) ack
113 win 9800 <nop,nop,timestamp 55789186 566909289> (DF)
13:43:29.767651 192.168.2.4.49829 > 205.152.58.136.25: P 113:861(748) ack
379 win 5840 <nop,nop,timestamp 566909310 55789186> (DF)
13:43:29.913175 205.152.58.136.25 > 192.168.2.4.49829: . ack 861 win 9800
<nop,nop,timestamp 55789201 566909310> (DF)

Note, my smtp process uses a randomly chosen port, with destination port
set to 25 on bellsouth's smtp server.

Now, an incoming mail:

13:45:24.352872 66.33.1.213.3183 > 192.168.2.4.25: S
4193317797:4193317797(0) win 32120 <mss 1412,sackOK,timestamp 1743960275
0,nop,wscale 0> (DF)
13:45:24.352979 192.168.2.4.25 > 66.33.1.213.3183: S 39359671:39359671(0)
ack 4193317798 win 5792 <mss 1460,sackOK,timestamp 566967982
1743960275,nop,wscale 0> (DF)
13:45:27.368294 66.33.1.213.3183 > 192.168.2.4.25: S
4193317797:4193317797(0) win 32120 <mss 1412,sackOK,timestamp 1743960575
0,nop,wscale 0> (DF)
13:45:27.368390 192.168.2.4.25 > 66.33.1.213.3183: S 39359671:39359671(0)
ack 4193317798 win 5792 <mss 1460,sackOK,timestamp 566969526
1743960275,nop,wscale 0> (DF)
13:45:27.519191 66.33.1.213.3183 > 192.168.2.4.25: . ack 1 win 32120
<nop,nop,timestamp 1743960592 566969526> (DF)
13:45:27.642502 192.168.2.4.25 > 66.33.1.213.3183: P 1:42(41) ack 1 win
5792 <nop,nop,timestamp 566969666 1743960592> (DF)
13:45:27.745828 66.33.1.213.3183 > 192.168.2.4.25: . ack 42 win 32120
<nop,nop,timestamp 1743960609 566969666> (DF)
13:45:27.746517 66.33.1.213.3183 > 192.168.2.4.25: P 1:31(30) ack 42 win
32120 <nop,nop,timestamp 1743960609 566969666> (DF)
13:45:27.746547 192.168.2.4.25 > 66.33.1.213.3183: . ack 31 win 5792
<nop,nop,timestamp 566969719 1743960609> (DF)
13:45:27.746761 192.168.2.4.25 > 66.33.1.213.3183: P 42:69(27) ack 31 win
5792 <nop,nop,timestamp 566969719 1743960609> (DF)
<snip>


So, there are indeed packets going outbound from my server with source
port 25, but these are *only* in response to an outside connection.

As I understand it, this should always be the case.  Never will my mail
server send mail out with a source port of 25.

Of course, clarifications and opinions are welcome ;-).

John


James P. Kinney III said:
> If you try and send email directly from your DSL account, that is viewed
> as spam.
>
> The will block your source port 25 from going anywhere EXCEPT their smtp
> servers.
>
> If you want to run your own mail server, you _must_ set up the Smart
> Host relay to point to the smtp server for your ISP.
>
> This is used to allow traffic monitoring of smtp data. If a user account
> begins spewing 3000 emails a day, they pretty much know it is crap and
> can block that account quickly and automatically.
>
> This above discussion is only relevant to non-commercial accounts. Most
> commercial accounts have few, if any, filters applied.
>
> According to BellSouth docs back when I used them, they block port 25 as
> discussed above and don't for commercial accounts. I also know that
> Earthlink does the same. Most of my other ISP encounters are with
> commercial systems so I can't comment on places like Speakeasy and
> others.



_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list