Things keep changing in Qatar. Just before Christmas the local ISP (QTEL) decided to start blocking inbound port 25 connections to the DSL line I use for work. This posed a problem for me as I run a mail server on it using Dynamic DNS for about 80 users. What was particularly irksome was they blocked incoming connections only for locations outside Qatar, not other DSL connections in country.
I don’t have a problem with ISPs blocking outbound port 25 other than their own mail servers – that is a sensible anti-spam precaution. However blocking inbound connections can only be used to prevent the running of mail servers and the only reason I can think of for them preventing this is to force people to use their MPLS based Internet leased line which cost over USD 1500/month for 512K last time I looked at the price.
Using nmap on a server in Amsterdam I quickly discovered it was only port 25 which was blocked. Other ports remained unaffected.
So my problem was to find a way of getting mail into my server using a port other than 25 (SMTP). Internet mail requires access to port 25 so I had to find another machine to forward mail into my ADSL line in Qatar. Fortunately I have access to such machines running Debian and postfix in Amsterdam.
The solution turned out to be surprisingly easy:
1. Arrange for the ADSL link gateway to port forward traffic from a free port (I chose 200) to port 25 on the internal mail server. I used IPTABLES to do this but the same can be done with almost any ADSL gateway – look for “Application Sharing”. This can be tested by using netcat (nc) to the gateway from a machine in the outside world (some names obscured):
ams1:~# nc www.mydomain.com 200
220 www.mydomain.com ESMTP Postfix (Debian/GNU)
helo www.x31.com
250 www.mydomain.com
quit
221 2.0.0 Bye
2. Configure the relay machine (mine is in Amsterdam) to accept mail for the ADSL connected system (my system in Qatar). To do this edit /etc/postfix/main.cf and add the domain to the end of the line (note the use of the comma ‘,’):
relay_domains = $mydestination, mydomain.com
3. Setup a special delivery transport for mydomain.com. To do this edit /etc/postfix/transport and add the following lines (myddnshost.dyndns.org is the dynamic dns hostname for my system in Qatar and the 200 is the port number I am using):
mydomain.com smtp:[myddnshost.dyndns.org]:200
.mydomain.com smtp:[myddnshost.dyndns.org]:200
Now rebuild the map file:
$ postmap /etc/postfix/transport
and edit /etc/postfix/main.cf again. Ensure the following line is present:
transport_maps = hash:/etc/postfix/transport
Finally restart postfix:
$ /etc/init.d/postfix restart
4. Now update your DNS and point the MX record at the relay machine. Wait for things to settle down (can take a few hours) and your mail will start to be delivered into your ADSL connected server.
I run Debian Etch and Lenny systems with a mostly standard postfix configuration which uses hash tables. If your system is different then you may need to specify a different format. The /etc/postfix/transport file is extremely powerful and I recommend you look at “man transport” before making changes.
Thanks for the information, we are having intermittent problems with outgoing SMTP port 25 blocked and I dont know if it is Qtel or outside.
It seems to come and go, and I was wondering if you have any advice on how to change the port. Our mail server is in US and I have asked them if we can access with another port.
thanks
I can confirm that they are again blocking inbound SMTP.
I’ve sent you a seperate mail – please get in contact with me so I can understand your exact problem and come up with a solution.
Andy
Where/If there is a will there is a way….
Gr8 job
Bloody morrons, I had the same issue for months and had to overcome it using a VPN to the office where we have a 32Mb/s line (I don’t even want to say how much we are paying for it). Now it seems they are blocking IKE/ISAKMP as well cause I cannot go through their crappy network inside or outside Qatar using IPSec (Wireshark doesn’t see a single packet). Anyone else struggling with that?