BRAVO TECHNOLOGY CENTER
Out-bound Email SMTP Server Issues

by Sam C. Chan
 

July 18, 2006

(This article is for the target audience of small businesses using a consumer Internet access line at the office. It's written in concise notes format, intended as companion materials for interactive discussions, rather than a stand-alone in-depth course.)

This is a definitive look at the seemingly unsolvable "problems" with SMTP servers that baffles many consultants. Everything is complicated, and email is no exception, especially for small businesses with mobile computers. Once the situation is properly understood, the few solutions and (less than painless) work-arounds become obvious.

The 3 Issues:

  • Open Relay Restrictions (since 5 years ago, all ISPs in United States)
  • TCP Port 25 Blocking (since 3 years ago, most ISPs in United States)
  • SMTP Authentication (since mid 2006, still uncommon)

How Email Sending Works

When you send email, your email program simply uses TCP port 25 to submit your out-bound messages to an SMTP server, which in turn performs all the rest behind the scene for you, and eventually deliver them to the recipients' mailboxes.

Change in Internet Landscape

In the old days, anyone can use any SMTP server in the world. All SMTP servers accepted messages from anyone and delivered them to anyone with no questions asked. As the Internet became mainstream, the amount of abuse and exploitation increased exponentially. SPAM has been a major problem for almost a decade.

Open Relay Restrictions

About 5 years ago, virtually all ISPs in United States ceased the practice of  "open relay." Access to SMTP servers are granted only if at least 1 of these 3 criteria are met:

  • Sender is on the authorized physical line.
  • Message is destined for authorized recipient (typically same domain as server).
  • Sender authenticated to the SMTP server (if supported).

This eliminated the "free ride" for SPAMmers, and made them slightly more traceable.

TCP Port 25 Filtering/Blocking

Since 3 years ago, virtually all major ISPs in United States have implemented TCP port 25 blocking on consumer lines, which effectively banned users from:

  • running SMTP servers on premises (such as Exchange Server, or email worms), or
  • accessing outside SMTP servers (such as: hosting providers).

Port 25 privilege has since been reserved for commercial users only, on business lines (SDSL, T1, T3, etc.). Note: 99% of small businesses are in fact using consumer grade Internet access lines.

SMTP Authentication

As an ancient, crude, insecure and inefficient protocol, SMTP has far out-lived its useful life. It was originally designed to handled a small friendly community of universities exchanging brief messages via teletype machines, using 7-bit characters! Authentication is one of those patched on features (just like MIME and attachments) in recent years:

  • "Log in" required even when you're on the ISP's physical line.
  • As a result of that, a worm cannot access the SMTP server.
  • Authentication makes possible the access of it when on other lines.
  • Currently not supported at majority of ISPs in United States.

The Implications & Consequences

So, what does it all mean? Here are a few most prominent (and over-simplified) points:

  • If you're on an ISP x line, you have to use the SMTP server from ISP x.
  • You're not allowed to run your own SMTP server on-premises.
  • You can't access outside SMTP servers, such as those from hosting providers.
  • Your mobile PC setup to work at your location will fail to send at other locations.

Some Naturally Workable Scenarios

  • Use only stationary workstations (complications only apply to mobile PCs)
  • Manual re-configuration of each email account upon relocation.
  • Automated re-configuration via scripts launched from shortcuts.
  • Use multiple Windows user accounts with different configurations.
  • Use authenticated ISP SMTP (will work when roam to a unrestricted line).
  • Get a business line, and only travel to places with unrestricted smtp lines.

Solutions and Work-Arounds

  • Implement Exchange Server (Outlook VPN via HTTP). Ideal solution.
  • Outlook Web Access (OWA) (req. Exchange Server) Best light-weight solution.
  • Webmail (hosted, or free) possibly in conjunction with POP forwarding.
  • Remote Sessions: RDP, VNC, PCA, GotoMyPC, etc.
  • Custom SMTP relay on unfiltered ports, with SSL and authentication.

 

Points to Remember:

  • Limitations and restrictions are cumulative and compounded.
  • Some combination of restrictions result in no possible (pleasant) solutions!
  • In-bound email are totally unrelated, and therefore not considered here.

While roaming in unfamiliar territories, the actual extend of your "Internet access" available varies significantly from one site to another. About the only thing you can count on is having unfiltered web access. That means port 80 and 443. Solutions that are based-on, or can support port 80/443 via tunneling or proxies are your best bet.

 

See also:

Copyright @2005-2006   Bravo Technology Center  *  Bravo:GO  *  Contact Us