The issue is that the ISP has recently blocked port 25 outgoing.

But, incoming port 25 is still open and incoming mail is properly received.

Now, for a single machine, I can simply change the <sendmail> configuration and have that machine <submit> the mail to port 587, which is NOT blocked by the ISP. However, there are several machines, all of which send some mail out to the Internet. Thus, I would have to be reconfiguring other unfamiliar mail servers (postfix, exim, etc.) to accomplish the desired redirection.

EDITED: I have a Linux machine which is my gateway router and firewall.

I have crafted a single iptables NAT rule to attempt having ALL outgoing
mail be redirected from port 25 over to port 587.

EXTERNAL=xx.xx.xx.xxx
..
iptables -t nat -A OUTPUT -o $EXTERNAL -p tcp --dport 25 -j REDIRECT --to-port 587

The iptables rules are loaded without any apparent errors reported (in /var/log/messages) so I was expecting it to accomplish the task as desired.

This rule does NOT have any effect on mail going out, however. Maybe the
order of rules is such that all mail is being ACCEPTed before this new rule is encountered?

How can I ensure that this rule is seen/processed BEFORE any ACCEPT rules?

Is this NAT OUTPUT rule the correct way to do this sort of thing? Or should I be using either a DNAT or POSTROUTING rule?

If it's outgoing mail then they will be connecting to mail servers not under your control, so unless you can guarantee that they will accept mail on port 587 you are wasting your time.

0 members found this post helpful.

Is this a commercial internet package with static IP? If so I would call up the ISP and find out why they are blocking outbound traffic, and request they unblock. If they refuse and you do run mail servers find another ISP.

Have you confirmed that they are actually blocking outbound traffic on port 25? Doing that could potentially block even regular mail clients from being able to send mail.

Yes, they are blocking port 25 BOTH WAYS.. in and out.

I have called the ISP, Coxxxxx and spoken to tech support, carefully explained the problem. As soon as the L-word (Linux) was uttered, the T/S drone said, "well I'm sorry but we don't support Linux.. yadda, yadda". (I know from prior experience, that they "teach" their people to say that; never mind helping the customer) I don't need Linux support from them. I simply want them to unblock incoming-port-25. They can leave their block on outbound-port-25 if they think that helps their SPAM problems.

I escalated to their T/S manager, and patiently explained to him why blocking port-30 inbound was useless as a control of SPAM coming FROM their customers. That still didn't get thru.. "I'm sorry sir, but we cannot do that.."

I scanned their mail gateway server: it only has ports 465 (SMTPS) and port 587 (Submission) as open, listening. So, I have already configured the iptables ruleset on the firewall to accept any NEW, incoming traffic to port 587 with a rule to ACCEPT input and another rule to DNAT the PREROUTING traffic to the appropriate mail server box.

So, back to my original question:

Does anyone know how to formulate an iptables rule to REDIRECT all outgoing port-25 traffic over to port 587 outbound??

I need this to have a blanket method of correctly routing any/all outgoing mail controlled by the firewall rules; not by tweaking the configurations at every mail client.

I will need such for whoever my ISP is or will be in the future.

Thank you.

Why? I manage more than a dozen different mail serevrs (mix of Linux and Windows) and no real ISP with the proper plan has ever done any port filtering. I would just make life easy and take the steps needed to switch to an ISP that won't filter traffic on a business connection.

Are you running a mail server locally, or trying to use a mail client to connect to the ISP mail server? Even if you do succeed in having your server listen on a different port incoming mail will always be on 25, and thus get blocked before hitting your iptables rule to move to a different port. For outbound as already mentioned if you just switch to using 587 no other mail server would be accepting mail on that port. Anyone you would want to exchange mail with would need to have a server setup that accepts mail on 587, and I doubt that will happen.

Hi Erik.. thanks for your thoughts..

Yes, I run a sendmail server with SMART_HOST to the ISP's gateway. So outgoing from my server will be handled properly by that gateway IF.. I adjust the config to send to port 587 and use TLS Auth. I can do that part.

But, upon more reflection, I see your point.. Yes, you are correct: the SMART_HOST at my ISP will know what to do with my outgoing mail sent to 587; but any other host who was sent-to from a mis-configured client mailer, and thus bypassing SMART_HOST, will indeed, drop that mail on the floor.

And, I cannot control incoming mail arriving on 25, no matter what I try. That will all get dumped.

maybe some mail-management services like No-IP.com's are another way to go.

thank you

What I have done for my personal email (which I run off a server at home on a cable connection that doesn't allow SMTP) is utilize an outsource service from where I bought the domain. So basically my MX point to them, and I can use them as an outbound relay after authentication. For inbound I just use POP to download every few minutes so there is never really any mail sitting on that server.

The other option as I mentioned is to switch ISPs to one that will actually alllow you to do what you want. What is the point of having a static IP if they block you from running a server? I don't know what else you do or how long you have been with them, but I have had other problems with them (regular outages and having IP ranges with such a bad reputation that access to websites was being blocked).

That is pointless if outbound port 25 has to go through comcasts servers. It will not work. I had a comcast connection some years ago, and with roughly 15 domains, each with it's own mail server, I was basically up sh*t creek. I cancelled comcast within a week. You would be better off using gmail for domains, at least they catch all the spam.

IPTABLES -t nat -A OUTPUT -p tcp --dport 25 -j DNAT --to-destination 100.200.1.1:587

??

1 members found this post helpful.

Do you have a dynamic or static IP?
If dynamic, most, if not all mailservers will refuse your mail.

It isn't pointless if you use the ISP as a relay, and use whatever port they have setup for mail. Also many domain hosts have an alternate SMTP port setup for just this situation, so you could use that as well.

Ultimately though I agree if you want or need to run a mail server, and Comcast won't let you then best option is tell them they can keep the subpar service, and sign up with someone who will let you work.

thx linuxgurusa for a much needed quick answer

iptables -t nat -A PREROUTING -p tcp --dport 587 -j REDIRECT --to-ports 25

if all is ok do this
/etc/init.d/iptables save

this works for Cent OS Red-hat.