Cisco ASA / Comcast SMTP problem workaround

lorell at hathcock.org lorell at hathcock.org
Sun Jan 18 18:37:19 CST 2009


I have the problem when working out of my house that Comcast will lock  
down outbound SMTP on the regular ports.  This may be due to the kids'  
computer getting infected with a virus from time to time.  That is its  
own problem and I want to deal with it on its own.

The problem I want to discuss is a workaround to Comcast blocking  
outbound SMTP.

I have noticed at my house when I have problems with regular SMTP  
traffic on port 25 to my own colo servers, that my Yahoo! premium  
email goes through fine without problem.  I have a premium Yahoo!  
account and use SMTP on port 465 and POP3 on 995 with SSL configured  
on both.

The thought occurred to me that I could solve my immediate problem as  
well as let me send/receive email at hotels and wifi hotspots that all  
block regular SMTP traffic on port 25.  And roll out an encrypted new  
service to my hosted customers.

I run my own small hosting company at a colo for a handful of customer  
domains and several that I own.  I have a Cisco ASA 5505 (security  
plus license) and a pair of mail servers needed for in- and out-bound  
SMTP.  The servers are on private IP addresses behind the ASA which  
has static statements for the servers inside.  Also, I have additional  
IPs available if needed for this solution.

Here is my question:

How do I configure my ASA (and Outlook) to:
    1. Encrypt traffic between Outlook and the ASA on non-traditional  
SMTP and POP3 ports without using a VPN?  (Using SSL just as Yahoo!  
does it.)
    2. Leave my servers' configuration alone so that they continue to  
send/receive email in exactly the same way they are doing now?
    Summarized:  How do I duplicate Yahoo! premium email service using  
PAT on my Cisco ASA without changing any settings on my server?

Qualifiers:
    1. I don't want to change the email server configurations because  
it is run by a control panel software and if I take it out of spec,  
the next update could wipe out my custom config.
    2. I don't want to use a VPN client on my laptop because it takes  
up VPN licenses on the ASA and because a successful solution would be  
a boon to my customers.

I believe the ASA would have to do these things:
    1. Accept SSL connections on the outside interface.
    2. Accept the inbound SMTP request on an arbitrary, but  
non-dynamic port and translate it to port 25 and send it on to the  
server.
    3. Accept the response from the server and translate it back into  
the arbitrary port (from #2 above) on the remote client.
    4. Do the same thing as above except for POP3.

This configuration would allow customers to also configure their  
SMTP/POP3 clients to allow them access to email without configuring a  
VPN client for each one.

Stated simply, I want to duplicate what Yahoo! premium email is doing  
between their servers and their customers like me.

Any thoughts?

Lorell Hathcock




More information about the NANOG mailing list