[110801] in North American Network Operators' Group
Cisco ASA / Comcast SMTP problem workaround
daemon@ATHENA.MIT.EDU (lorell@hathcock.org)
Sun Jan 18 19:31:38 2009
Date: Sun, 18 Jan 2009 18:37:19 -0600
From: lorell@hathcock.org
To: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
I have the problem when working out of my house that Comcast will lock =20
down outbound SMTP on the regular ports. This may be due to the kids' =20
computer getting infected with a virus from time to time. That is its =20
own problem and I want to deal with it on its own.
The problem I want to discuss is a workaround to Comcast blocking =20
outbound SMTP.
I have noticed at my house when I have problems with regular SMTP =20
traffic on port 25 to my own colo servers, that my Yahoo! premium =20
email goes through fine without problem. I have a premium Yahoo! =20
account and use SMTP on port 465 and POP3 on 995 with SSL configured =20
on both.
The thought occurred to me that I could solve my immediate problem as =20
well as let me send/receive email at hotels and wifi hotspots that all =20
block regular SMTP traffic on port 25. And roll out an encrypted new =20
service to my hosted customers.
I run my own small hosting company at a colo for a handful of customer =20
domains and several that I own. I have a Cisco ASA 5505 (security =20
plus license) and a pair of mail servers needed for in- and out-bound =20
SMTP. The servers are on private IP addresses behind the ASA which =20
has static statements for the servers inside. Also, I have additional =20
IPs available if needed for this solution.
Here is my question:
How do I configure my ASA (and Outlook) to:
1. Encrypt traffic between Outlook and the ASA on non-traditional =20
SMTP and POP3 ports without using a VPN? (Using SSL just as Yahoo! =20
does it.)
2. Leave my servers' configuration alone so that they continue to =20
send/receive email in exactly the same way they are doing now?
Summarized: How do I duplicate Yahoo! premium email service using =20
PAT on my Cisco ASA without changing any settings on my server?
Qualifiers:
1. I don't want to change the email server configurations because =20
it is run by a control panel software and if I take it out of spec, =20
the next update could wipe out my custom config.
2. I don't want to use a VPN client on my laptop because it takes =20
up VPN licenses on the ASA and because a successful solution would be =20
a boon to my customers.
I believe the ASA would have to do these things:
1. Accept SSL connections on the outside interface.
2. Accept the inbound SMTP request on an arbitrary, but =20
non-dynamic port and translate it to port 25 and send it on to the =20
server.
3. Accept the response from the server and translate it back into =20
the arbitrary port (from #2 above) on the remote client.
4. Do the same thing as above except for POP3.
This configuration would allow customers to also configure their =20
SMTP/POP3 clients to allow them access to email without configuring a =20
VPN client for each one.
Stated simply, I want to duplicate what Yahoo! premium email is doing =20
between their servers and their customers like me.
Any thoughts?
Lorell Hathcock
