Transparent hijacking of SMTP submission...

Christopher Morrow morrowc.lists at
Sat Nov 29 18:46:05 UTC 2014

backing up a bit in the conversation, perhaps this is just in some
regions of comcastlandia? I don't see this in Northern Virginia...

$ openssl s_client -starttls smtp  -connect
depth=0 description = kVjtrCL8rUdvd00q, C = US, CN =, emailAddress =
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 description = kVjtrCL8rUdvd00q, C = US, CN =,
emailAddress =
verify error:num=27:certificate not trusted
verify return:1
depth=0 description = kVjtrCL8rUdvd00q, C = US, CN =, emailAddress =
verify error:num=21:unable to verify the first certificate
verify return:1


Certificate chain
 0 s:/description=kVjtrCL8rUdvd00q/C=US/
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA


New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: FC3E47AF2A2A96BF6DE6E11F96B02A0C41A6542864271F2901F09594DE9A48FA
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1417286582
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
250 DSN
ehlo me

On Sat, Nov 29, 2014 at 12:26 PM, Jean-Francois Mezei
<jfmezei_nanog at> wrote:
> On 14-11-29 11:07, Sander Steffann wrote:
>> I am so glad that our Dutch net neutrality laws state that "providers of Internet access services may not hinder or delay any services or applications on the Internet" (unless [...], but those exceptions make sense)
> However, in the case of SMTP, due to the amount of spam, most ISPs break
> "network neutrality" by blocking outbound port 25 for instance, and
> their SMTP servers will block much incoming emails (spam).  However,
> SMTP is a layer or two above the network. But blocking port 25 is at the
> network level.
> I have seen wi-fi systems where you ask to connect to port
> 25, and you get connected to port 25. (the ISPs own SMTP
> server).  I would rather they just block it than redirect you without
> warning to an SMTP server of their own where they can look and your
> outbound email, pretend to acccept it, and never deliver it.

More information about the NANOG mailing list