Comcast started blocking outbound port 25 on my cable modem yesterday. I can understand why — it stops a lot of infected machines from spamming the world. But it also broke the ability of my security webcam from sending me pictures to my server whenever it detects movement, and the cam firmware has no option to use the alternate authenticated port 587.
So this blog entry talks about how I got around the port 25 block so my webcam can continue to email images.
I realized something was amiss when I stopped getting pictures. So I tried a manual connection…
Catzillas-Computer:~ weave$ nc -v weaverling.org 25 nc: connect to weaverling.org port 25 (tcp) failed: Operation timed out
I checked my comcast.net mail and see the notice that I’m being blocked now. But the wording gave me concern…
“In an effort to help prevent spam and ensure the security of our network and customers, Comcast has modified your modem’s settings to prevent the sending of email on port 25. That is the default port email programs such as Outlook Express use to send email. We’ve taken this action because we may have detected virus-like activity from your modem or received reports from other email providers that mail from your modem generated complaints from their users. “
Well that explains the cam failure, but now I have a larger concern. Is a machine in my house spewing garbage? Well thankfully I have a Linux system acting as my home router, so I added a rule to the firewall table to log outgoing port 25 packets.
Mar 8 23:53:02 home kernel: outgoing-25 IN=eth1 OUT=eth0 SRC=10.20.30.59 DST=184.108.40.206 LEN=48 TOS=0x00 PREC=0x00 TTL=63 ID=42497 DF PROTO=TCP SPT=57338 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
That is my webcam. But nothing else is chattering on 25, so right now I back to my original problem — the webcam is being blocked. Well since the webcam wants to use port 25 I have no choice but to steer around the damage and rewrite packets from the webcam to use an alternate port. Thanks to iptables in Linux, a piece of cake!
First I go to my server and alter postfix mail server software to listen to port 2390. No magic to that port number except it’s listed as rsmtp in /etc/services so I used it. I just added the new port to my /etc/postfix/master.cf file. Next I add a firewall rule to my home’s Linux router to reroute any connection from the webcam to go down to the server as port 2390.
IPNAT="/sbin/iptables -t nat" $IPNAT -A PREROUTING -p tcp -i eth1 -s 10.20.30.59 -d 220.127.116.11 --dport 25 -j DNAT --to :2390
Piece of cake. It works! As for why I was blocked in the first place, they are either blocking everyone or they logged a lot of SMTP connections from my cable modem to an outside mail server. When movement is detected it sends an email once a second for as long as movement occurs, which can be a lot of messages.
(If you’re wondering why I do that, it’s because if the house is robbed, I want to get the evidence off-site as fast as possible. If it just recorded the images to a box inside the house, well that wouldn’t do much good if that box was stolen too!)
Update: March 13, 2009
Found another blog post that goes over an alternative way of doing this. I could have just configured postfix on my home Linux box, sent my webcam messages to it, then had that mail host use Comcast’s server or my own outside server to relay the email. This would be the way to go if you don’t have an email server outside of Comcast to relay stuff for you, but it also means having to stash your Comcast email’s id/password into your postfix config.
- David Wheeler’s “Getting Postfix to Send Mail From a Comcast Network“
Update: July 19, 2009
I just noticed that Comcast is no longer blocking port 25 on my cable connection. Perhaps the block is temporary in nature and when they see the excessive hits on port 25 from your IP drop off, they eventually unblock it.
Update: April 24, 2013
After years of not blocking it, they decided to start blocking it again. However, my old linux router is now gone and I’m using an off-the-shelf router. BUT ALL WAS NOT LOST. Thankfully it’s a Buffalo Router that runs Linux, so I opened up a shell on it and did the iptables command on it and now my webcam is sending again.
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i br0 -s 10.20.30.60 -d 18.104.22.168 --dport 25 -j DNAT --to :2390