I setup a MX mail server, everything works despite port 25 being blocked, I'm stumped as to why I am able to receive email with this setup, and what the consequences might be if I leave it this way. Here are the details:
Connections to SMTP over port 25 and 587 both reliably connect over my local network.
Connections to SMTP over port 25 are blocked from external IPs (the ISP is blocking the port).
Connections to Submission SMTP over port 587 from external IPs are reliable.
Emails sent from gmail, yahoo, and a few other addresses all are being delivered. I haven't found an email provider that fails to deliver mail to my MX.
So, with port 25 blocked, I am assuming other MTA
servers fallback to port 587, otherwise I can't imagine how the mail is received. I know port 25 shouldn't be blocked, but so far it works. Are there mail
servers that this will not work with? Where can I find more about how this is working?
-- edit
More technical detail, to validate that I'm not missing something silly. Obviously in the transcript below I've replaced my actual domain with example.com.
# DNS MX record points to the A record.
$ dig example.com MX +short
1 example.com
$ dig example.com A +short
<Public IP address>
# From a public server (not my ISP hosting the mail server)
# We see port 25 is blocked, but port 587 is open
$ telnet example.com 25
Trying <public ip>...
telnet: Unable to connect to remote host: Connection refused
# Let's try openssl
$ openssl s_client -starttls smtp -crlf -connect example.com:25
connect: Connection refused
connect:errno=111
# Again from a public server, we see port 587 is open
$ telnet example.com 587
Trying <public ip>...
Connected to example.com.
Escape character is '^]'.
220 example.com ESMTP Postfix
ehlo example.com
250-example.com
250-PIPELINING
250-SIZE 10485760
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-BINARYMIME
250 CHUNKING
quit
221 2.0.0 Bye
Connection closed by foreign host.
Here is a portion from the mail log when receiving a message from gmail:
postfix/postscreen[93152]: CONNECT from [209.85.128.49]:48953 to [192.168.0.10]:25
postfix/postscreen[93152]: PASS NEW [209.85.128.49]:48953
postfix/smtpd[93160]: connect from mail-qe0-f49.google.com[209.85.128.49]
postfix/smtpd[93160]: 7A8C31C1AA99: client=mail-qe0-f49.google.com[209.85.128.49]
The log shows that a connection was made to the local IP on port 25 (I'm not doing any port mapping, so it is port 25 on the public IP too). Seeing this leads me to hypothesize that the ISP block on port 25 only occurs when a connection is made from an IP address that is not known to be a mail server. Any other theories?
