Email Bypass of Port 25 Blocking

This project shows you how to place an SMTP mail server inside a firewall that is blocked by the ISP on port 25.

Click to search the Acacia site
Click to search using Google

Acacia runs its own SMTP mail server that used to work just fine behind the firewall. This firewall provided masquerading of incoming and outgoing port 25 email traffic to the internal mail server.

The ISP decided to block all incoming and outgoing traffic on port 25 traffic in an effort to stop spammers but just inconvenienced legitimate users such as Acacia that run their own mail server.

The diagram above shows the Acacia SMTP mail server on the left, listening inside the firewall on port 25. The firewall masquerades incoming email traffic on port 2525 at the firewall to port 25 on the internal SMTP server.

No-IP.com provides the dynamic IP service as well as a "Email Reflector" service which answers for the AcaciaLT.com.au domain on port 25 and forwards incoming email traffic to the firewall on port 2525.

In terms of outgoing email traffic, No-ip does not support sending, so the only path was to route outgoing emails via the ISP's mail server. This is done using the mailconf utility in the basic configuration section to set the "Mail Gateway" to mail-hub.bigpond.net.au. Port 25 is not blocked to this server. The mail-hub.bigpond.net.au server then forwards emails to the destination as represented in the diagram by the "Other 3rd Party Mail Server" on the Internet.

Firewall Settings

In order to make this work, you will need to configure your ipchains based firewall with settings that are similar to the following:

EXTERNAL_INTERFACE=`ifconfig | grep ppp | head -1 | awk '{print $1}'`
EXTERNALIP=`ifconfig $EXTERNAL_INTERFACE | grep inet | cut -d: -f2 | cut -d" " -f1`
ANYWHERE="any/0"                    # match any IP address
UNPRIVPORTS="1024:65535"            # unprivileged port range
MAILPORT=25
MAILMASQPORT=2525

# Allow traffic on port 2525
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
         -s $EXTERNALIP $UNPRIVPORTS \
         -d $ANYWHERE $MAILMASQPORT -j ACCEPT  

ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
         -s $ANYWHERE $MAILMASQPORT \
         -d $EXTERNALIP $UNPRIVPORTS -j ACCEPT  

ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
         -s $ANYWHERE $UNPRIVPORTS \
         -d $EXTERNALIP $MAILMASQPORT -j ACCEPT  

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
         -s $EXTERNALIP $MAILMASQPORT \
         -d $ANYWHERE $UNPRIVPORTS -j ACCEPT  

# Masquerade incoming traffic from port 2525 to the internal
# SMTP server on port 25
ipmasqadm portfw -a -P tcp -L $EXTERNALIP $MAILMASQPORT -R $MAILSERVER $MAILPORT

# Note that this is commented out so that mail goes back out
# on port 25 to bigpond when initiated from the acacia domain.
#ipchains -I forward -p tcp -s $MAILSERVER $MAILPORT -j MASQ  -l

# Allow outgoing email traffic on port 25.  This will only go to mail-hub.bigpond.net.au
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
         -s $EXTERNALIP $UNPRIVPORTS \
         -d $ANYWHERE $MAILPORT -j ACCEPT  -l

ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
         -s $ANYWHERE $MAILPORT \
         -d $EXTERNALIP $UNPRIVPORTS -j ACCEPT  -l

ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp \
         -s $ANYWHERE $UNPRIVPORTS \
         -d $EXTERNALIP $MAILPORT -j ACCEPT  -l

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
         -s $EXTERNALIP $MAILPORT \
         -d $ANYWHERE $UNPRIVPORTS -j ACCEPT  -l

Click here to check out the list of other projects.

You may also like to click here to check out the list of Artificial Intelligence projects.

If you would like to get any further information on this or any of the other projects shown on this web site, please send an email to Acacia Lateral Technologies. or place a comment in our Guest Book

You might also like to submit your idea to our Free Ideas page for the benefit of other like-minded soles.