≡ Menu

Getting around Comcast port 25 block

Comcast started blocking outbound port 25 on my cable modem yesterday. I can understand why — it stops a lot of infected machines from spamming the world. But it also broke the ability of my security webcam from sending me pictures to my server whenever it detects movement, and the cam firmware has no option to use the alternate authenticated port 587.

So this blog entry talks about how I got around the port 25 block so my webcam can continue to email images.

I realized something was amiss when I stopped getting pictures. So I tried a manual connection…

Catzillas-Computer:~ weave$ nc -v weaverling.org 25
nc: connect to weaverling.org port 25 (tcp) failed: Operation timed out

I checked my comcast.net mail and see the notice that I’m being blocked now. But the wording gave me concern…

“In an effort to help prevent spam and ensure the security of our network and customers, Comcast has modified your modem’s settings to prevent the sending of email on port 25. That is the default port email programs such as Outlook Express use to send email. We’ve taken this action because we may have detected virus-like activity from your modem or received reports from other email providers that mail from your modem generated complaints from their users. “

Well that explains the cam failure, but now I have a larger concern. Is a machine in my house spewing garbage?  Well thankfully I have a Linux system acting as my home router, so I added a rule to the firewall table to log outgoing port 25 packets.

Mar  8 23:53:02 home kernel: outgoing-25 IN=eth1 OUT=eth0 SRC=10.20.30.59 DST=207.192.69.241 LEN=48 TOS=0x00 PREC=0x00 TTL=63 ID=42497 DF PROTO=TCP SPT=57338 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0

That is my webcam. But nothing else is chattering on 25, so right now I back to my original problem — the webcam is being blocked. Well since the webcam wants to use port 25 I have no choice but to steer around the damage and rewrite packets from the webcam to use an alternate port. Thanks to iptables in Linux, a piece of cake!

First I go to my server and alter postfix mail server software to listen to port 2390. No magic to that port number except it’s listed as rsmtp in /etc/services so I used it. I just added the new port to my /etc/postfix/master.cf file.  Next I add a firewall rule to my home’s Linux router to reroute any connection from the webcam to go down to the server as port 2390.

IPNAT="/sbin/iptables -t nat"
$IPNAT -A PREROUTING -p tcp -i eth1 -s 10.20.30.59 -d 207.192.69.241 --dport 25 -j DNAT --to :2390

Piece of cake. It works!   As for why I was blocked in the first place, they are either blocking everyone or they logged a lot of SMTP connections from my cable modem to an outside mail server. When movement is detected it sends an email once a second for as long as movement occurs, which can be a lot of messages.

(If you’re wondering why I do that, it’s because if the house is robbed, I want to get the evidence off-site as fast as possible. If it just recorded the images to a box inside the house, well that wouldn’t do much good if that box was stolen too!)

Update: March 13, 2009

Found another blog post that goes over an alternative way of doing this. I could have just configured postfix on my home Linux box, sent my webcam messages to it, then had that mail host use Comcast’s server or my own outside server to relay the email. This would be the way to go if you don’t have an email server outside of Comcast to relay stuff for you, but it also means having to stash your Comcast email’s id/password into your postfix config.

Update: July 19, 2009

I just noticed that Comcast is no longer blocking port 25 on my cable connection.  Perhaps the block is temporary in nature and when they see the excessive hits on port 25 from your IP drop off, they eventually unblock it.

Update: April 24, 2013

After years of not blocking it, they decided to start blocking it again.  However, my old linux router is now gone and I’m using an off-the-shelf router.  BUT ALL WAS NOT LOST.  Thankfully it’s a Buffalo Router that runs Linux, so I opened up a shell on it and did the iptables command on it and now my webcam is sending again.

/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i br0 -s 10.20.30.60 -d 207.192.69.241 --dport 25 -j DNAT --to :2390

 

{ 9 comments… add one }
  • Cos March 9, 2009, 1:58 pm

    not a shabby hack, good job.

    i guess that camera can only use email … was gonna say that using an XML post would give you more reliability along the way. maybe, and just for fun, experiment with taking what the camera wants to send via SMTP and breaking it down to an XML post to the server.

    plus that’s just more geeky. 🙂

  • sin April 11, 2009, 11:53 am

    ive recently had prt 25 blocked and was wondering how i could log outgoing port 25 traffic if all i have is a standard linksys router

  • weave April 11, 2009, 2:31 pm

    Some Linksys equipment can be flashed to an alternative firmware that is based on Linux, which allows more flexibility. But don’t attempt unless you are comfortable with that sort of thing.

    See Wikipedia article

    Look for the second on Third Party Firmware projects

  • Justin February 19, 2011, 6:07 pm

    Just thought I would share this, for anyone who wants to know if their ISP is blocking outbound port 25 (which is becoming more and more common today) try the test at http://port25.icannotconnect.com

  • DetroitGeek April 23, 2012, 6:27 am

    Comcast has blocked both incoming and outgoing on port 25. I can reroute the outbound, but servers trying to send to me on 25 won’t make it through and I certainly can’t reconfigure their servers. Other than using an external web based mail server to send and receive from, I can’t figure how to get my mail flowing again.

  • weave April 23, 2012, 6:41 am

    Sigh, looks like they are blocking me inbound 25 as well. I can’t swear to it because I haven’t checked my firewall rules yet (running late for work) but appears that way. On the other hand, I can go out on 25 now. Go figure.

    You may be stuck parking a VPS host somewhere out there that just accepts mail as an mx host and forwards it to you on a port other than 25.

  • Nunye March 16, 2013, 5:26 pm

    Sheesh. When are they going to realize that if something is not broke don’t fix it. ALL MAJOR carriers still use port 25 to send mail. Its retarded to block a port everyone uses. It almost seems like, there doing it as a monopoly “only use our ports” thing. Don’t they respect net neutrality?

  • Nantz March 16, 2013, 8:45 pm

    Not only does Comcast block port 25 without notice and break services that have been running without problem for years, they do so without telling the affected customer. How’s that for inconsiderate? To make matters worse, their support reps are too technically shallow to do anything to help mitigate the situation. As Nunye notes, practically ALL MAJOR carriers use port 25, making Comcast’s policy unacceptable. So, am in the process of changing to another ISP.

  • Unified eMail Support April 3, 2013, 5:43 pm

    We have a lot of residential Comcast customers that have just started reporting connection issues due to Comcast restricting both inbound and outbound communications over the standard SMTP port 25. For Comcast customers that have their own on-premise mail server, they can sign up for our Store and Forward Services which we can then forward their mail to them on an alternate (non-blocked) TCP port. F

    or more information please see: http://www.unifiedemail.net/Service/Store-Forward

Leave a Comment