The FreeBSD Diary
Providing practical examples since 1998If you buy from Amazon USA, please support us by using this link.
Is your ISP blocking port 25? Here's a Postfix solution. 10 February 2006
My ISP started blocking incoming port 25. It's already blocking outgoing port 25 and I'm handling that. Now it's time to start accepting incoming mail on the submission port, 587. They aren't blocking my incoming port 25. But we went through this process for another guy on our computer, so I figured that this is a good thing for which it will pay to be pro active.
This solution assumes you have a mail server at home and at least one other mail server out there on the Internet, one which does not have port 25 blocked. That part is crucial to this solution. It is the external server[s] that will accept incoming mail and forward it to you. In DNS terms, your MX records will not point to your home server, but to your public server.
Your home mail server
I started by adding the following line to
where10.34.0.1:587 inet n - n - - smtpd
10.34.0.1 is the public IP address of my mail server [no, that's not
really my IP address]. This instructs
Postfix to listen on that IP address on port 587. This is known as the submission
$ grep 587 /etc/services submission 587/tcp submission 587/udp
Your public mail server
Then I added this to
transport_maps = hash:/usr/local/etc/postfix-config/transport
This tells Postfix to observe the transport directives in the above mentioned file. You can put the
file whereever you want. I like to keep it in that directory, which you'll probably have to create
because it's not part of the standard system. In
cd /usr/local/etc/postfix-config postmap transport
You should now see a
Then I sent a test message from the public mail server
$ echo 'test' | mail email@example.com
I confirmed that it was coming in on port 587 with this command on my mail server at home:
tcpdump -i fxp0 port 587
Where fxp0 is the outside NIC on my firewall (the one with IP 10.34.0.1) as shown above.
Then, on the public mail server, I requeued all the messages, so they'd use the right transport:
postsuper -r ALL
All the messages were delivered to the right spot.
I control access to port 587 on my mail server. I have firewall rules in place that allow connections only from my home server. I think there are no security risks involved in keeping it open, but I see no reason to give access where no access is required.
What about the other way around?
If you need to handle outgoing port 25 to avoid ISP blocks, you can always the same instructions, but in the reverse direction. It should just work.