Cisco ASA / Comcast SMTP problem workaround
lorell at hathcock.org
lorell at hathcock.org
Sun Jan 18 18:37:19 CST 2009
I have the problem when working out of my house that Comcast will lock
down outbound SMTP on the regular ports. This may be due to the kids'
computer getting infected with a virus from time to time. That is its
own problem and I want to deal with it on its own.
The problem I want to discuss is a workaround to Comcast blocking
I have noticed at my house when I have problems with regular SMTP
traffic on port 25 to my own colo servers, that my Yahoo! premium
email goes through fine without problem. I have a premium Yahoo!
account and use SMTP on port 465 and POP3 on 995 with SSL configured
The thought occurred to me that I could solve my immediate problem as
well as let me send/receive email at hotels and wifi hotspots that all
block regular SMTP traffic on port 25. And roll out an encrypted new
service to my hosted customers.
I run my own small hosting company at a colo for a handful of customer
domains and several that I own. I have a Cisco ASA 5505 (security
plus license) and a pair of mail servers needed for in- and out-bound
SMTP. The servers are on private IP addresses behind the ASA which
has static statements for the servers inside. Also, I have additional
IPs available if needed for this solution.
Here is my question:
How do I configure my ASA (and Outlook) to:
1. Encrypt traffic between Outlook and the ASA on non-traditional
SMTP and POP3 ports without using a VPN? (Using SSL just as Yahoo!
2. Leave my servers' configuration alone so that they continue to
send/receive email in exactly the same way they are doing now?
Summarized: How do I duplicate Yahoo! premium email service using
PAT on my Cisco ASA without changing any settings on my server?
1. I don't want to change the email server configurations because
it is run by a control panel software and if I take it out of spec,
the next update could wipe out my custom config.
2. I don't want to use a VPN client on my laptop because it takes
up VPN licenses on the ASA and because a successful solution would be
a boon to my customers.
I believe the ASA would have to do these things:
1. Accept SSL connections on the outside interface.
2. Accept the inbound SMTP request on an arbitrary, but
non-dynamic port and translate it to port 25 and send it on to the
3. Accept the response from the server and translate it back into
the arbitrary port (from #2 above) on the remote client.
4. Do the same thing as above except for POP3.
This configuration would allow customers to also configure their
SMTP/POP3 clients to allow them access to email without configuring a
VPN client for each one.
Stated simply, I want to duplicate what Yahoo! premium email is doing
between their servers and their customers like me.
More information about the NANOG