SMTP SmartHost

If you found any of the tools on this page helpful, any donations would be appreciated.

SMTP SmartHosting

Or How To Deal With Network Hosts Who Think SPAM Blocking Allows Them To Not Play Nice In The Internet Neighborhood

(updated on 9/2/2003)

I'm an ATT Business Class DSL user. I pay extra for static IP addresses, a great technical support group, and performance and connection uptimes that are much better then what you would get with normal residential DSL service.

However, my understanding is that ATT assigns static and dynamic IP address in the same range. You can see this by doing a Reverse DNS lookup on my Web Server's IP address:

C:\>nslookup 12.100.12.105
Server: DNS1.christopherlewis.com
Address: 192.168.0.9

Name: 105.mumc.chcg.chcgil24.dsl.att.net
Address: 12.100.12.105

Which comes back with 105.mumc.chcg.chcgil24.dsl.att.net. The key here is the "dsl.att.net". When an SMTP conversation starts, the client issues a HELO or EHLO command. I believe that RR.Com and others are basically rejecting

I've recently had issues with Road Runner and the University of Oregon regarding my use of my own SMTP server and not ATT's. Here's the error message I get from Road Runner:

You do not have permission to send to this recipient. For assistance, contact your system administrator.

<mail.ChristopherLewis.com #5.7.1 smtp;550 5.7.1 Mail Refused - att.net_Dynamic_Range - See http://security.rr.com/dynamic.htm>

and the error message I get from University of Oregon:

You do not have permission to send to this recipient. For assistance, contact your system administrator.

<mail.ChristopherLewis.com #5.7.1 smtp;550 5.7.1 dialup/DSL/cable host, please use your ISP's SMTP server: XXXXXXXX@oregon.uoregon.edu>

A quick look at http://security.rr.com/dynamic.htm reveals:

As part of our continuing efforts to reduce the amount of UBE traveling into our network, Road Runner has taken a number of proactive steps and developed a number of strong policies. These policies include the use of 3rd party block lists and our own internal list. More information on these policies can be found at http://security.rr.com.

As part of this continuing effort, Road Runner, along with a significant number of other providers, has implemented incoming port 25 blocks of residential IP address space, including dialup, DSL, and Cable modem IP addresses, regardless of whether or not that address space is assigned dynamically or statically. The reason for this is because of the widespread number of residential subscribers who we have found are infected with trojans such as Jeem, or have open proxy or SMTP applications which allow third parties to hijack them.

In other words, Road Runner has decided to ignore the fact that I am an upstanding network citizen who obeys all the rules and regulations regarding being a network administrator on the Internet and block my IP range from sending SMTP messages just because I'm in the same IP range as some known network scofflaws. This is the equivalent of sending some one to prison just because they live on the same block as known law-breakers.

Anyway, all ranting aside, there is a relatively simple way to get around this issue. SMTP has supported forwarding from day one ( RFC 821 Section 3.2) via something called a SmartHost. In the old days of slow connections, mail clients could spend lots of time doing DNS resolution for MX records over relatively slow connections. By uploading outgoing email to a machine with a faster connection and possibly better DNS service, the mail client could give the SmartHost all its email, and let the SmartHost deal with further delivery. With SPAM and open relay issues, most SMTP servers and services don't support forwarding without Authentication. Enter RFC 2554,which created an SMTP extension to allow for Authentication to the SMTP server before transferring mail.

Configuring Exchange 2000 To Use a SmartHost with Authentication

Using the Exchange System Manager, drill down to your outgoing server's SMTP Protocol. Right Click on the Default SMTP Virtual Server and select Properties.

Select the Delivery Tab and click the Outbound Security button.

Select the Basic Authentication radio button and enter your ATT mail's user and password. Note you must enter your user name in the form USER@attglobal.net. Click OK

Back on the Delivery tab, click on Advanced Delivery, and enter your outgoing SMTP server for your ATT mail account. In my case, this was asmtp.attglobal.net. Click OK.

Then click OK in the Default SMTP Virtual Server dialog.

Implications

OK, you're wondering what this will do? Well, basically, in your SMTP conversation, you'll see something like this (Server commands start with S:, client C:)

C:\>Telnet asmpt.attglobal.net 25
S: 220 prserv.net - Maillennium ESMTP/MULTIBOX asmtp1 #4
C: EHLO ChristopherLewis.com
S: 250-prserv.net
S: 250-7BIT
S: 250-8BITMIME
S: 250-AUTH LOGIN PLAIN
S: 250-DSN
S: 250-HELP
S: 250-NOOP
S: 250-PIPELINING
S: 250-SIZE 10485760
S: 250-STARTTLS
S: 250-VERS V04.00c++
S: 250 XMVP 2
C: AUTH LOGIN
S: 334 VXNlcm5hbWU6          <--Base64 encoded. "Username:"
C: dXNlckBhdHRnbG9iYWwubmV0 <--B64 encoded Email address - user@attglobal.net
S: 334 UGFzc3dvcmQ6          <--Base64 encoded: "Password:"
C: cGFzc3dvcmQ=              <--Base64 encoded: "password"
S: 235 Authentication successful
C: MAIL FROM:<administrator@DoNotCall.Gov>
S: 250 ok
C: RCPT TO:<Someone@DoNotCall.Gov>
S: 250 ok; forward to <Someone@DoNotCall.Gov>
etc...

So what happens is that when Exchange gets an outgoing email, it sends it to the ATT SMTP server, authenticates, and then starts a normal SMTP transfer. ATT's server realizes its an outgoing mail, and forwards it to the appropriate SMTP server.

Now you may ask, what's the harm? Well there are a couple of issues I can see right away:

ATT's SMTP servers handle much more email, potentially resulting in delayed email.
ATT's SMTP servers might have a different size restriction for outgoing mail.
What if ATT's SMTP server goes down?
This is a totally unsupported configuration. Is ATT ever going to stop allowing SmartHosting?

Well, personally, the only one that I feel is an issue is the first point. But hopefully, the SMTP server's are powerful enough to handle everything.

Questions and Comments

Please feel free to contact me if you have any questions.

Update:

If you've got Exchange clients (i.e. full blown Outlook, not Outlook Express) then you also need to set up smart hosting with the Exchange SMTP Connector. I'll have more details on this when I get the chance.

10/22/2003

OK, I'm finally getting around to updating this for Outlook and Exchange. If you are running an internal Exchange server with Outlook clients, you not only have to SmartHost your Virtual Servers, but also your Exchange Internet Mail Service Connector.

Find your Internet Mail Service Connector here:

Bring up the properties, and enter your SMTP Smart Host in the "Forward all mail through this connector to the following smart hosts" text box.

On the Advanced Tab, select Outbound Security, and enter your SMTP Smart Host User name and password in the Basic Authentication section.

That's about it. I think what's happening is that Exchange uses its own format for internal mail, and when it communicates an externally routed SMTP email, it uses the Internet Mail Service Connector rather then the Virtual SMTP server.

For normal POP3 email clients like Outlook Express, I don't think you need to do this, since they are connecting to the Virtual SMTP server directly.

NOTE: This is continued in Part 2.

Thanks,

Chris Lewis