Today my ClearOS email server stopped receiving emails address to my domain address. I found a site to test the SMTP server, and it fails, so I expect I have a fair amount of email backed up at the ClearOS MX backup server. I have spent the day trying various fixes, none of which appear to work. I use an external SMTP server for outgoing email. Is there a good way to replace the ClearOS SMTP server with my external, have looked for help and haven't found any. I've set it up as a relay host, but no help there either. Alternatively, how can I configure the ClearOS SMTP server to use a port other than 25, which I suspect Comcast has blocked. Any help greatly appreciated.
In SMTP Server
Share this post:
Accepted AnswerYou're having some learning experience!
It is pretty standard for a dynamic IP to be on a blacklist but that only stops you sending mails and not receiving them. That is probably part of the reason you use SMTP2GO. You not receiving e-mails is probably just Comcast policy. It is nothing to do with you not being able to receive e-mails.
If Comcast Business will allow you to set a PTR record, if you get it set to match your MX record, then you should be able to send e-mails directory rather than use SMTP2GO. My ISP will only allow be to set my PTR record it I also take a block of IP's. They won't do it for a single IP so I use a different relay service.
Accepted AnswerInteresting suggestion Nick. But I think I have found an easier one, albeit one that requires a hardware change and different service here.
I talked to Comcast Business this morning and can get a static IP, 600 Mb service (not guaranteed of course) and access to port 25 if needed. My SMTP2GO contact noted that my current Comcast dynamic IP address is blacklisted with two major services, due to ComCast's block assignment, and I can't get that lifted. He speculates that the blacklist was what might be causing ComCast, who provides the IP, to disallow a connect. Seem logical, although it does bring the chicken or the egg, or perhaps Catch 22 into the equation.
Anyway, the ComCast gentleman is investigating whether getting emails to a static address with them will be an issue. If I move to that service, drop Lumos altogether, the net cost is almost the same, so I expect, once the mail situation is confirmed, that I will do just that. Their business max service also provides an LTE 4G automatic backup with two different cell providers, so the need for the Lumos DSL backup goes away as well.
There will be some work involved in removing all references to the ntelos.net email address, but I know most, if not all of the location that I have used it either as a logon or a return email address, so once all that is changed over, I can dump Lumos without much regret. It's not the same service I moved to from Verizon more than 20 years ago.
I do appreciate the time you've spent in trying to help me with this problem. If nothing else, I've learned a great deal and expect that this solution is going to work, and stop the outages altogether.
Accepted AnswerThey may block port 25 for dynamic IP's and domestic customers but I doubt very much if they would block it for business customers.
The only other ways I can think of doing it are by running a cloud instance of postfix e.g ClearOS and then relaying to your main version of ClearOS either in a VPN or by switching ports. ClearOS allows you do to Mail Forwarding to different ports. You'd then need a port redirection rule in your main firewall to switch back to 25 or you'd need a separate instance of postfix running on a different port (harder to do). Easier in some ways would be to use the VPN route between the cloud instance and your main server. Then no port switching is needed.
Accepted AnswerOnce Lumos comes back, I will be able to retrieve that mass of emails stuck at ClearOS. But that being said, I am now married to them if I want to continue running my own email server. Comcast is the only game in town with any speed. Verizon will never bring FIOS here, neither will Segra, and according to Comcast, most of the major providers block port 25. There's got to be some solution for this, but my tiny brain is tired and I am quitting for the day. Thank you Nick.
Accepted AnswerI have pretty much no idea what you can do if you can't receive e-mails on port 25. You'll need to find some sort of e-mail host who can either store and forward on a different port or receive for you to pick up with the mail retrieval app. Alternatively you'll need to find an ISP who will allow you to use port 25. I wonder if Comcast will allow you to do this if you have a business line. You are not in a good position
Accepted AnswerThe more we talk about this, the more confused I become.
I used tcpdump on ports 25, 465 and 587 to monitor an outbound email to my ntelos/lumos address. The send went out through port 587, not 465 or 25, on my system. So the changes I made to postfix's main.cf file have routed emails to my outbound smtp provider, which is smtp2go, via that port. They are being received at smtp2go without issue. Yes, it is an outbound server that I have used for a number of years when I could not get SMTP to function on ntelos/lumos.
However, when I look at the emails directed to my domain name, www.wa4rts.net, smtp2go indicates that it is trying to route them to the correct domain address resolved by dns but the connection to my domain times out. Since you are saying that all incoming emails are routed through port 25 and comcast blocks port 25, therein lies the problem.
I can only assume that ntelos/lumos does NOT block port 25, but since that service is still out for me, I can't confirm it until it returns. So the problem remains -- if the comcast connection times out, routing email to the backup at ClearOS, and that backup restores via port 25, how do I deal with this problem.
I apologize for being somewhat dense, but it just doesn't make sense. Sorry to waste so much of your time and draw on your good nature.
Accepted AnswerIsn't SMTP2GO an outbound e-mail service, so you use them to relay you outgoing e-mails? If so, they will always transmit e-mails onwards using prot 35. That is the e-mail standard. 465 and 587 are only really for internal e-mails with authentication and with other MTA's by special arrangement.
Accepted AnswerNick, ComCast blocks port 25. That is probably what you are seeing. The question is how do I route mail delivery to my iMap server through 465 or 587. Port 25 is open on my firewall, but your telnet to port 25 should never get through ComCast, and I am sure that is what you are seeing. I need to query SMTP2GO to see how they are routing, I guess. If those emails are being routed to port 25, that's probably the answer to this problem.
Accepted AnswerLook at my output. I can get to your ports 465 and 587 but not 25. If you think 25 is open then it is being blocked. You can try setting up tcpdump then doing a port scan or 25 and see if you get anything and then try 587. Tcpdump can do a lot but I often have to use google to get the syntax right. Something like:
should do it. You should see the scan get you on both ports. If it does not, it is being blocked somewhere outside
tcpdump -nni your_wan_interface '(port 25 or port 587)'
Accepted AnswerOne more comment -- I looked at how emails were being handled by my outside SMTP server and found this information:
05/22/2020 15:01:57 Delivered mxbackup1.clearsdn.com [18.104.22.168]
250 2.0.0 Ok: queued as CBBD240FDA (delivered to email@example.com)
05/22/2020 15:01:57 www.wa4rts.net [22.214.171.124] Connection timed out
05/22/2020 14:59:46 Processed localhost Received by mail.smtp2go.com (Mailer-Daemon@smtpcorp.com -> firstname.lastname@example.org)
So my comcast address is being queried and timing out. If I could solve why this is happening, this issue would be fixed. Any ideas? Is Comcast blocking the connection?
Accepted Answer25 does not look reachable:
[root@server ~]# nmap wa4rts.net -p 25,465,587
Starting Nmap 6.40 ( http://nmap.org ) at 2020-05-22 19:38 BST
Nmap scan report for wa4rts.net (126.96.36.199)
Host is up (0.10s latency).
rDNS record for 188.8.131.52: c-73-147-60-131.hsd1.va.comcast.net
PORT STATE SERVICE
25/tcp filtered smtp
465/tcp open smtps
587/tcp open submission
Nmap done: 1 IP address (1 host up) scanned in 1.87 seconds
Port 587 has been working in ClearOS since last summer, I believe, but to get it working master.cf had to be changed. The changes to main.cf I believe are to allow you to send out e-mails on port 587. That is what I had to do to relay out via my SMTP relay service.
I have a strong suspicion that your problem is port 25 from Comcast.
Accepted AnswerOne more tidbit -- using MX toolbox, I cannot verify SMTP to my domain address. It uses the command SMTP:wa4rts.net and returns a "can't connect" error. No indication in the mail log of an attempted connect. None from ClearOS backup either, for that matter. Both Cyrus and Postfix working properly. One more thing, when attempting to connect to my external SMTP provider on port 587 with TLS, I get an error. I read somewhere that STARTTLS is not supported by Postfix on 587, but I made the suggested changes in the main.cf file, and it still errors out. No encryption works fine, as does 465 with SSL.
Accepted AnswerClear backup is what I am using. If I get rid of the Lumos account, that says it will no longer work I guess if port 25 on Comcast has to be used. My own port 25 is open. I hate to keep asking dumb questions, but will the traffic pass through to me on 25? I have to guess no, since my A address now matches the domain name, wa4rts.net. When pinged, I get the Comcast address, since I deleted the Lumos static address.
Try 184.108.40.206, my current outfacing dynamic address for Telnet, but that port is closed on my firewall, so it should give you a fail message.
Accepted AnswerPort 995 is POPS, so only useful for picking up e-mails, say, from your ISP's free mailboxes. Can you go onto an external port scanning website and see if they can even get a response out of your port 587. If I knew your IP I could scan it and try to telnet to it.
The ClearOS MX Backup service, if that is the one you are using, can't be switched to use port 587 AFAIK.
Accepted AnswerI made a comment yesterday that I don't see, so reposting. The service went out again, probably Wednesday (20th) evening. Segra was notified, rather emphatically, that afternoon, with the promised return phone call never happening. On Thursday I received notice that they were throwing the ball back to Verizon. Tech was actually here this morning (Friday), no Verizon issue. I watched him test the line back to the CO.
However, I spent most of yesterday trying to re-route the incoming email path. I removed the A listing for my Lumos static address, and now when I ping my domain, it references my ComCast dynamic IP. Even after talking with Comcast about the problem, the incoming emails are still piling up on the backup MX server at ClearOS. Comcast blocks port 25 and says they use 995 for incoming traffic, but I think that's for their own service, not messages that pass through to a customer IP.
Nick mentioned that if the backups were coming in, they were coming through port 25. That isn't going to be possible with Comcast. They allow encrypted traffic on port 587, but even after switch my SMTP information to use 587, it's no go. Any ideas about how to get the traffic through Comcast will be appreciated, as heaven only knows when the Segra people are going to do their job. This has been going on for two full weeks now, and I am really tired of it.
Accepted AnswerNick, thanks for the answer. That is, indeed, the problem. The Segra folks have just gotten my DSL service restored, and the emails are flowing in. At least now I know why. As far as fixing it goes, wouldn't it make some sense to delete the nTelos address completely from DNS so that the Comcast address is used? I may not have this backup forever, though it does come in handy when Comcast goes out to lunch. I could do as you have suggested, however, if I can follow what you are saying to do. Thanks for the response.
Accepted AnswerMail delivery uses your MX record. I am seeing:
So both your MX records point to carrierzone.com. is this a mail service who then forward to you? Can they be set up with multiple IP's to deliver to?
[root@server ~]# host ntelos.net
ntelos.net has address 220.127.116.11
ntelos.net mail is handled by 10 mx1c28.carrierzone.com.
ntelos.net mail is handled by 100 mx2c28.carrierzone.com.
If you are using MultiWAN, can't your Clearcenter DDNS be prioritised to your static connection then fail over to your dynamic then you just get your mail service to use your Clearcenter DDNS?
Accepted AnswerWhen I do a ping to wa4rts.net it comes back with my ntelos static address. When I ping the current comcast address, it does not indicate wa4rts.net. Given that I have had ongoing issues with my ntelos connection since last Thursday, and I lost connectivity altogether -- dead line -- last evening, I am beginning to suspect that despite the fact that my DNS information shows the Comcast dynamic address it also shows the ntelos static address. Since that has been down since yesterday, it appears likely that the static address is being used, not found, and that's why the emails are piling up in the backup server. Any thoughts anyone? I am working with the folks at Segra, who FINALLY fixed my incoming telephone service -- it had only been gone since last THursday, but in the process seem to have broken the DSL connectivity, which i keep as a backup. Perhaps when they fix that, the email will start to flow. But if that turns out to be the problem I need to determine how to have the domain name point to the correct primary provider.
Accepted AnswerHave a look in your mail log to see if there is mail coming in not from your MX backup. It should be fairly obvious as you'll see a load of transactions like:
If you are receiving mail from the MX Backup servers then port 25 can't be blocked. If you are not, receiving mail try an online port scan of you 25 to see if it is open. Also try telnetting to your port 25 from the outside.
May 10 05:25:23 server postfix/smtpd: connect from smtpq1.tb.ukmail.iss.as9143.net[18.104.22.168]
May 10 05:25:23 server postfix/smtpd: Anonymous TLS connection established from smtpq1.tb.ukmail.iss.as9143.net[22.214.171.124]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
You can check your firewall to see if it is blocking and you can also monitor port 25 with tcpdump, which sits outside the firewall. If you see incoming attempts on 25 in tcpdump but no connection is made, so nothing in your mail log, then your firewall could be blocking. If you see nothing in tcpdump, eg, when port scanning 25, then probably your ISP is blocking.
Accepted AnswerAnd once again, in the here we go again department, my email imap server has ceased receiving incoming emails addressed to my domain. It continues to query the backup server I use, and those messages are arriving. I have close to 300 messages -- probably a lot of spam along with a few OK ones -- at ClearOS backup. I've put in a ticket on the issue, but any suggestions would be welcome.
I've downed and reupped the ClearOS server, stopped and restarted the imap and pop servers, found an old thread about corrupt CLAMAV files, and followed those instructions.
The DNS information is correct, and has not changed, and the dynamic DNS service is operating properly.
Going through mail log all I see is the lack of incoming messages, no indication of a particular problem. I use an external SMTP servier, SMTP to go, and it is functioning properly.
The last time this happened, it magically cleared itself up. So I have no idea why or what to do to fix it again. I guess it's possible that Comcast decided to block port 25.
Accepted AnswerPerhaps check your maillog to see what happened when you changed to your backup ISP.
And for future reference, any public facing mail server receiving mail must use port 25 unless you have some sort of intermediate service which redirects the port. Also, if you need to redirect mail to another server, the way to do it is through your MX DNS record.