July 18, 2006
(This article is for the target audience of small businesses using a
consumer Internet access line at the office. It's written in concise
notes format, intended as companion materials for interactive discussions, rather than a stand-alone in-depth course.)
This is a definitive look at the seemingly unsolvable "problems"
with SMTP servers that baffles many consultants. Everything is
complicated, and email is no exception, especially for small businesses
with mobile computers. Once the situation is properly understood, the
few solutions and (less than painless) work-arounds become obvious.
The 3 Issues:
- Open Relay Restrictions (since 5
years ago, all ISPs in United States)
- TCP Port 25 Blocking (since 3 years
ago, most ISPs in United States)
- SMTP Authentication (since mid
2006, still uncommon)
How Email Sending Works
When you send email, your email program simply uses TCP port 25 to submit
your out-bound messages to an SMTP server, which in turn performs all the rest behind the scene for you, and
eventually deliver them to the recipients'
Change in Internet Landscape
In the old days, anyone can use any SMTP server in the world. All SMTP servers accepted messages from anyone and delivered them to anyone
with no questions asked. As the Internet became mainstream, the amount
of abuse and exploitation increased exponentially. SPAM has been a major problem for almost a decade.
Open Relay Restrictions
About 5 years ago, virtually all ISPs in United States ceased
the practice of "open relay." Access to SMTP servers
only if at least 1 of these 3
criteria are met:
- Sender is on the authorized physical line.
- Message is destined for authorized recipient
(typically same domain as server).
- Sender authenticated to the SMTP server (if supported).
This eliminated the "free ride" for SPAMmers, and made them slightly more traceable.
TCP Port 25 Filtering/Blocking
Since 3 years ago, virtually all major ISPs in United States have
implemented TCP port 25 blocking on consumer lines, which
effectively banned users from:
- running SMTP servers on
premises (such as Exchange Server, or email worms), or
outside SMTP servers (such as: hosting providers).
Port 25 privilege has since been reserved for commercial
users only, on business lines (SDSL, T1, T3, etc.).
Note: 99% of small businesses are in fact using consumer
grade Internet access lines.
As an ancient, crude, insecure and inefficient protocol, SMTP has far
out-lived its useful life. It was originally designed to handled a small
friendly community of universities exchanging brief messages via
teletype machines, using 7-bit characters! Authentication is one of
those patched on features (just like MIME and attachments) in recent
- "Log in" required even when you're on the ISP's physical line.
- As a result of that, a worm cannot access the SMTP server.
- Authentication makes possible the access of it when on other
- Currently not supported at majority of ISPs in United
The Implications & Consequences
So, what does it all mean? Here
are a few most prominent
(and over-simplified) points:
- If you're on an ISP x line, you have to use the SMTP server from
- You're not allowed to run your own SMTP server on-premises.
- You can't access outside SMTP servers, such as those from hosting
- Your mobile PC setup to work at your location will fail to send
at other locations.
Some Naturally Workable Scenarios
- Use only stationary workstations (complications only apply to
- Manual re-configuration of each email account upon relocation.
- Automated re-configuration via scripts launched from shortcuts.
- Use multiple Windows user accounts with different
- Use authenticated ISP SMTP (will work when roam to a
- Get a business line, and only travel to places with
unrestricted smtp lines.
Solutions and Work-Arounds
- Implement Exchange Server (Outlook VPN via HTTP).
- Outlook Web Access (OWA) (req. Exchange Server)
Best light-weight solution.
- Webmail (hosted, or free) possibly in conjunction with
- Remote Sessions: RDP, VNC, PCA, GotoMyPC, etc.
- Custom SMTP relay on unfiltered ports, with SSL and authentication.
Points to Remember:
- Limitations and restrictions are cumulative and compounded.
- Some combination of restrictions result in no possible
- In-bound email are totally unrelated, and therefore not considered here.
While roaming in unfamiliar territories, the actual extend of your "Internet
access" available varies significantly from one site to another. About the only
thing you can count on is having unfiltered web access. That means port
80 and 443. Solutions that are based-on, or can support port 80/443 via
tunneling or proxies are your best bet.