2

As you know most ISP's block port 25 on outgoing mail. Some of my clients wish to use our mail server as an outgoing mail server. However, we do not have TLS or SSL. Is there a way to accept incoming connections on say, port 2525 on the smtp server?

EEAA
  • 108,414
  • 18
  • 172
  • 242
user49795
  • 21
  • 1
  • 2
  • See also: http://serverfault.com/questions/123744/can-i-receive-mail-at-another-port-like-465-instead-of-default-25-on-my-mail-serv – Matt Jul 30 '10 at 13:44

4 Answers4

3

You haven't specified which smtp server you're using, so I'll propose a universal method to redirect that should work regardless of what software you're running.

Add these iptables rules:

Permit 2525/tcp through the firewall:

$ iptables -A INPUT -i eth0 -p tcp --dport 2525 -j ACCEPT

Redirect traffic arriving on 2525/tcp to 25/tcp:

$ iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 2525 -j REDIRECT --to-port 25

I haven't tested this rule yet, but I believe it should work.

Keep in mind, though, that other mail servers out on the internet will not know that they need to connect on port 2525. If you're only using this for clients to send mail, though, using an alternate port should be no problem.

Additionally, I'd recommend that you use port 587 instead of 2525. Port 587 is the RFC-sanctioned SMTP "submit" port, and many clients will already be set up to use this. At this point in time, I know of no ISPs that block this submission port.

user@host:~$ grep 587 /etc/services
submission  587/udp     # Submission
submission  587/tcp     # Submission
...
EEAA
  • 108,414
  • 18
  • 172
  • 242
  • Thanks, ErikA.. Sorry I didn't specify the smtp server. I'm using sendmail. I'm going to give that a try and I'll let you know if that works. I understand that other mail servers will not know to connect on port 2525, when I provide the information to the clients I'll let them know the correct port number. – user49795 Jul 30 '10 at 14:06
  • No problem. Did you see the update I made to my answer about using port 587? That would be a much better idea than using 2525. – EEAA Jul 30 '10 at 14:08
  • Awesome. I just saw that. I'll give that a shot. – user49795 Jul 30 '10 at 14:12
  • I really hate to sound dumb, but when I try iptables, it just says command not found. So, it looks like its not installed. – user49795 Jul 30 '10 at 17:38
  • Are you trying to run it as root? If not, try that. If it's still not there, you can install it quite easily from your repo's package repository. – EEAA Jul 30 '10 at 17:51
  • Sure was! Looks like I'll have to install. – user49795 Jul 30 '10 at 18:03
1

Ah -- you appear to be using sendmail.

If you look in your sendmail.mc, you probably have a line like:

dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl

If you remove the leading dnl and then re-generate your sendmail.cf, sendmail should start listening on port 587 without any iptables port-forwarding magic required.

David Mackintosh
  • 14,223
  • 6
  • 46
  • 77
  • I tried this, re-generated the sendmail.cf and still trying to test it. It won't authenticate.. so it doesn't quite seem like its listening on that port. – user49795 Jul 30 '10 at 16:57
  • Authentication is another ball of wax. My notes from a few years ago are here http://wiki.xdroop.com/space/sendmail/smtp-auth hopefully they will point you in the right direction. – David Mackintosh Aug 02 '10 at 12:48
0

Yes - most servers will easily allow you to change the port its listening on - and its simple to redirect connections to port 25 on a Linux box or any box sitting behind a moderately capable firewall. How you do that depends on the hardware / software / OS. Its also easy to configure most MUAs to use a non-standard port for SMTP connections.

The rest of the world will try to connect to port 25 on the host defined in the MX server when it wants to send mail to you, but you say that you're just looking to provide an outgoing mail service for your customers.

The obvious solution (for Linux, Unix, MSWindows and some others) is to use stunnel to shift the traffic onto a different port (and it'll also wrap it in SSL, potentially allowing you to use client certificate verification). But you do need to ensure that you have some authentication in place and also that your server is included in any published SPF records. If your customers/you don't own the domains you will be processing mail for, then its a non-starter.

C.

symcbean
  • 19,931
  • 1
  • 29
  • 49
  • Thanks for that. Yeah, I was already attempting to do that. What file would I modify to forward incoming connections? – user49795 Jul 30 '10 at 13:57
  • Without using a proxy like stunnel? I have no idea - you didn't say what you are using as a MTA. – symcbean Jul 31 '10 at 21:29
-1

What kind of server is it? Microsoft, Linux?
If we are talking Exchange then yes there is a way, which is simple to use!

Let me know!

JamesK
  • 1,646
  • 11
  • 19