I couldn't stand it. I like cox.net when I don't have to talk to them and wanted my email. So I extended my www.no-ip.com services to get an external mail reflector. The first step was to configure my Belkin router to map a couple of non-standard port numbers to port 25. By the way, I use the Belkin because it supports my Cisco 831 router for the Sun Ray 1G and it also allows me the ability to remap port services. I then checked that this worked.

I could have modified sendmail to listen on a different port, but then I need to remember that fact.

I then signed up for the reflector service (which will also store mail for 5 days if there is an outage) and enabled it. I tried to test and got a bounce:

[-- Attachment #1 --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.5K --]

The original message was received at Wed, 7 Jun 2006 13:11:51 -0700
from localhost.localdomain [127.0.0.1]

   ----- The following addresses had permanent fatal errors -----

    (reason: 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1))

   ----- Transcript of session follows -----
... while talking to mail1.no-ip.com.:
>>> DATA
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
550 5.1.1 ... User unknown
<<< 503 RCPT first (#5.5.1)

[-- Attachment #2 --]
[-- Type: message/delivery-status, Encoding: 7bit, Size: 0.4K --]

Reporting-MTA: dns; virt18c.secure-wi.com
Received-From-MTA: DNS; localhost.localdomain
Arrival-Date: Wed, 7 Jun 2006 13:11:51 -0700

Final-Recipient: RFC822; XXX@YYY.com
Action: failed
Status: 5.1.3
Remote-MTA: DNS; mail1.no-ip.com
Diagnostic-Code: SMTP; 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)

I didn't sweat this too much, I figured I had a bit more to do and found this Blocked Port 25? .. Mail on a Non-Standard Port on the No-IP web site. I needed to set up some MX records. By the way, I really like how No-IP produces guides for their services.

In looking back at the prvious fragment of email, it is now clear that it was no-ip.com bouncing it and not my domain. Anyway, I followed the directions and was soon getting all of my important email - mostly test messages from various accounts I have outside the domain. Remember, it is always the principle!

I'm forced by geography to use cox.net. I use both no-ip.net and webintellects.com because I like their services. I could move my internal domain to webintellects.com, but I actually do test configurations for work and write things up based on having what looks like a full domain.

I think what is really getting me mad is that the cox.net tech support people are all claiming that my port 25 is not being blocked inbound, yet their Virtual Customer Service Representative has this to say:

You: block port 25
Instant
Answers: Blocked Ports 
 
Port: 25 
  Transport: TCP 
  Protocol: SMTP 
  Direction: Both* 
  Reason for Filtering: SMTP relays 
 
Port: 80 
  Transport: TCP 
  Protocol: HTTP 
  Direction: Inbound 
  Reason for Filtering: Web servers, worms 
 
* SMTP is only permitted outbound to Cox-provided SMTP servers 
 
Type more to continue.
You: more
Instant
Answers: Port: 135 
  Transport: UDP 
  Protocol: NetBios 
  Direction: Both 
  Reason for Filtering: Net Send Spam/pop-ups, worms 
 
Port: 136-139 
  Transport: UDP, TCP 
  Protocol: NetBios 
  Direction: Both 
  Reason for Filtering: Worms, Network Neighborhood 
 
Type more to continue.
more to continue.
You: more
Instant
Answers: Port: 445 
  Transport: TCP 
  Protocol: MS-DS/NetBios 
  Direction: Both 
  Reason for Filtering: Worms, Network Neighborhood 
 
Port: 1433 
  Transport: TCP 
  Protocol: MS-SQL 
  Direction: Inbound 
  Reason for Filtering: Worms, Trojans 
 
Type more to continue.
You: more
Instant
Answers: Port: 1434 
  Transport: UDP 
  Protocol: MS-SQL 
  Direction: Inbound 
  Reason for Filtering: Worms, SQLslammer 
 
Port: 1900 
  Transport: UDP 
  Protocol: MS-DS/ NetBios 
  Direction: Both 
  Reason for Filtering: Worms, Network Neighborhood 
 
Type more to continue.
You: more
Instant
Answers: Port: 27374 
  Transport: TCP 
  Protocol: Subseven 
  Direction: Both 
  Reason for Filtering: SubSeven Trojan 
 
Would you like to see more about Internet security?

They need to get their story straight. I don't care if their answer is as valid as any other IT urban myth.

The only thing keeping me from spewing forth how many years of IT and system development experience I have is the fact that I once again live in Oklahoma. I.e., I can drive to Tuttle in no time and see Jerry Taylor in person. Read the City manager misunderstanding prompts international response for spin and denial.

Frak...

I decided to show that the problem on my inbound port 25 traffic couldn't be on my end. To that end, I decided to connect my WinXP laptop directly up to my cable modem. This bypassed my router/firewall. I also disabled the firewall software on the laptop.

Of course I couldn't get access. I needed some servers to be listening on some ports. I did a quick google and decided to follow the instructions on exim on cygwin to install both cygwin and exim. I'd recommend also installing vim at this point. I had a mail server up and running in no time. I could get to it via a command window, but that wasn't a real test. I ssh'ed into a remote site and I was blocked on coming back on port 25.

Now I had to show that the exim software was really working. I installed apache2 on the laptop. I was able to configure the httpd.conf pretty easily myself, but to get the software running, I had to do some more searching. Note I don't have my normal cut-and-paste examples, these are DOS windows we are talking about. Anyway, I found this Re: [Pre-ITP] httpd-2.0.53-0.3. I was able to use it to get started:

Oops.

I forgot to document:

Apache2 requires cygserver.
Make sure cygserver is running, and that your CYGWIN envvar contains "server".

You need to edit your environment variable for CYGWIN to look like ntsec server. The above link on exim on cygwin tells you how to get to the environment variable. Note that you need the ' '. Neither ',' nor ';' worked for me.

You need to get a new cygwin session going (or manually edit the CYGWIN environment variable for an existing one) and then start cygserver:

net start cygserver

At that point, you can start apache2 via:

$ cd /usr/sbin
$ ./apachectl2 -k start

By the way, I made apache listen on both ports 80 and 8085. I did this since I know cox.net blocks port 80!

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the 
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
#Listen 12.34.56.78:80
Listen 80
Listen 8085

Okay, I tested the web server and sure enough port 80 was blocked but I could get the default home page on port 8085:

It works!

Okay, armed with this knowledge, I called up Cox.net support. After about 30 minutes, I got a live human. His name was Chris and he was convinced it was my software. He also stated that they were not allowed to try and check port connectivity. I asked him to try telnet IP 25 and he made it quite clear that was not allowed at all. I asked to be passed to a support person who could help me.

I got handed to the queue and spent another 15-20 minutes waiting. I then got to talk to Andrew. He spent a couple of minutes talking to me when the cable modem reset itself. I know this because my ssh session died and the phone cut itself off. He provided no warning and never called me back up to check on what happened. I've talked to their support before where they warned me about a restart and then called me back up. No, no common courtesy this time.

I don't normally yell, scream, and shout obscenities when my son is close by. My wife came up to check on me...

The really sad parts are that I lost the IP I've had for the past year or so and also that unlike large urban centers on the coasts, there is no real market pressure for broadband providers. I'm 1/2 mile away from being able to get a decent DSL provider, i.e., I live east of Memorial and I refuse to go back to Valor (they stopped using the really expensive DSL provider and rolled out their own).

So I'm trying the online support process now. I've dusted off the cox.net account and I figure that at some point I'll find a reflector to get past this stupid policy of cox.net. Bob Marley isn't even cheering me up at this point. Time to find some Cadbury.

Frak...

I called Tech Support and they stated that they are not filtering inbound port 25 traffic. Yet their web pages state that they are:

Port Transport Protocol Direction Reason for Filtering 
25   TCP       SMTP     Both*     SMTP Relays 
80   TCP       HTTP     Inbound   Web servers, worms 

I found a site which states that cox.net just started filtering inbound on them: Notice to Cox High Speed Internet Users. An interesting excerpt is:

Cox has been contacted regarding the filtering of individual email
on their outgoing SMTP servers, but they have refused to admit
doing it. However after extensive tests of their service, it has
been demonstrated repeatedly that legitimate personal email messages
are being stopped.

I'm pretty sure that they are doing it to me. I've sent email to abuse@cox.net asking them if they are indeed blocking port 25.

My firewall is configured to allow ssh traffic (redirecting the port), http traffic to both port 80 and a redirected port, and smtp traffic to port 25. Both ssh and http traffic to the redirected ports is allowed in my firewall. I've never seen port 80 traffic make it in and now I'm seeing the same symptoms on port 25.

This really irks me as I pay attention to my security, I make sure to also batten down my mail server. My mail traffic is very light, I probably bog down less with my email than a porn surfing neighbor. And I certainly drive more traffic transfering cores and ISO images. I had to go through 5 minutes of security verificiation to get my cox.net account. I had to log into it to check that mail for the support tech. I had 160 pieces of spam and nothing of interest. They probably wasted more resources storing that spam than I used in getting NFS related email delivered to my door.

They also treated me like an idiot - "reboot windows", "restart Outlook Express", etc. Every time he started on a new script, I had to remind him I was not running an OS he was familiar with. I told him multiple times I was not getting email from pop.central.cox.net.

It really got me at the end. He could look past the cable modem and tell me he saw a Belkin router/firewall. (I never said "Belkin", just firewall.) But he couldn't tell me if port 25 traffic was being stopped at the cable modem. I asked him to telnet to port 25 of it and he refused. He either didn't have the knowledge or the technology. (You can set PuTTy to the telnet protocol and port 25 to check a remote mail server>)

Great, abuse@cox.net has replied stating that my complaint was not properly formatted and did not fall into one of their handy categories. I.e., they don't have a form to report them as the abusers.

Ahh, I could rant about them forever. Their Acceptable Use Policy is a model of customer abuse - We reserve the right to change this AUP without notice and have it be legally binding.

I'm sure I drew attention when my mail server was down and my port 25 traffic was being ignored. If I'd kept the server up, I'd have been safe for a couple of more days.