Home page logo

nanog logo nanog mailing list archives

Cisco ASA / Comcast SMTP problem workaround
From: lorell () hathcock org
Date: Sun, 18 Jan 2009 18:37:19 -0600

I have the problem when working out of my house that Comcast will lock down outbound SMTP on the regular ports. This may be due to the kids' computer getting infected with a virus from time to time. That is its own problem and I want to deal with it on its own.

The problem I want to discuss is a workaround to Comcast blocking outbound SMTP.

I have noticed at my house when I have problems with regular SMTP traffic on port 25 to my own colo servers, that my Yahoo! premium email goes through fine without problem. I have a premium Yahoo! account and use SMTP on port 465 and POP3 on 995 with SSL configured on both.

The thought occurred to me that I could solve my immediate problem as well as let me send/receive email at hotels and wifi hotspots that all block regular SMTP traffic on port 25. And roll out an encrypted new service to my hosted customers.

I run my own small hosting company at a colo for a handful of customer domains and several that I own. I have a Cisco ASA 5505 (security plus license) and a pair of mail servers needed for in- and out-bound SMTP. The servers are on private IP addresses behind the ASA which has static statements for the servers inside. Also, I have additional IPs available if needed for this solution.

Here is my question:

How do I configure my ASA (and Outlook) to:
1. Encrypt traffic between Outlook and the ASA on non-traditional SMTP and POP3 ports without using a VPN? (Using SSL just as Yahoo! does it.) 2. Leave my servers' configuration alone so that they continue to send/receive email in exactly the same way they are doing now? Summarized: How do I duplicate Yahoo! premium email service using PAT on my Cisco ASA without changing any settings on my server?

1. I don't want to change the email server configurations because it is run by a control panel software and if I take it out of spec, the next update could wipe out my custom config. 2. I don't want to use a VPN client on my laptop because it takes up VPN licenses on the ASA and because a successful solution would be a boon to my customers.

I believe the ASA would have to do these things:
   1. Accept SSL connections on the outside interface.
2. Accept the inbound SMTP request on an arbitrary, but non-dynamic port and translate it to port 25 and send it on to the server. 3. Accept the response from the server and translate it back into the arbitrary port (from #2 above) on the remote client.
   4. Do the same thing as above except for POP3.

This configuration would allow customers to also configure their SMTP/POP3 clients to allow them access to email without configuring a VPN client for each one.

Stated simply, I want to duplicate what Yahoo! premium email is doing between their servers and their customers like me.

Any thoughts?

Lorell Hathcock

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]