Port 25 unblock (incoming), need to get email server back online

@user_12vvs6​ I don't have the power to do this.  I'll send the thread to them, and let them respond here.

test this new comment added tyo my account

I am not using port 25 for email "submission". As in all of links I shared of others who were helped, I am not trying to submit mail to my server or any other server. Port 25 is the only supported port for one email server (not a client!) to send an email to another email server. I just want my server to be able to "listen" for incoming emails. I don't actually care to send emails out from it. If port 25 can be unblocked in the inbound direction, but not the outbound direction, then I can receive email but not send any. There is no possible way for spam to be spread this way.

I understand that connecting out to port 25 is possible to abuse for spam/malware, and I have no problem with this being blocked. Other ISPs including the one which I moved from (not available at my current address yet) allow inbound port 25 traffic by default without any special request to support. There is no possible way to send spam with the firewall being "one-way" like this, and Xfinity should really change it to be the same.

The Xfinity support page you link also falsely states that the IETF recommends blocking port 25. The linked RFC explicitly states as much.

This document offers no recommendation concerning the blocking of SMTP port 25 or similar practices for controlling abuse of the standard anonymous mail transfer port. Rather, it pursues the mutually constructive benefit of using the official SUBMISSION port 587 [RFC4409].

What it does say about blocking is that it is commonly done by some providers, but it does specify only that OUTBOUND is blocked.

A proactive technique used by some providers is to block all use of
   port 25 SMTP for mail that is being sent outbound

The lack of service and the disinformation about this topic is very frustrating. The fix is absolutely simple here.

you say "updated policy" implying that policy has changed since the instances of other customers being helped that I linked. This is not apparent though as the port 25 policy page has existed at least since 2018 https://web.archive.org/web/20181201000000*/https://www.xfinity.com/support/articles/email-port-25-no-longer-supported

@XfinitySPAAbuse​ maybe you can get the attention of someone who can help with this? It would be so awesome to get this fixed for everyone, so that time in the future isn't wasted with these requests. I do not see any practical/security-related reason why Xfinity is alone in not allowing even inbound connections.

A TCP connection is initiated by a 3-way handshake. The first step "SYN" is done by the server starting the connection. A "stateful" firewall tracks the state of all connections, putting the remote IP address/port in a table. When the local server responds the traffic is then allowed out because the destination IP address and port match the one previously stored in the table. This way the server can respond, but only when spoken to first.

Thank you for commenting with your experience. My use case is just for receiving mail, so it is especially frustrating that the distinction between outbound/inbound connections is completely ignored by this policy. With regards to business plan, I would hate to have to pay 2x as much/month + 2 year contract. At least on the website it also forces you to rent their modem, security product, and installation fees.

Your sarcasm is not appreciated by anyone who comprehends what I explained. Of course packets must be sent as well but they are filtered to only the remote IP+Port pair that initiated the connection. If you would like, I am glad to help clarify the details in DMs or elsewhere, but otherwise I'm afraid we are sidetracking the issue.

@user_12vvs6​ You'll need to connect the domain to a hosted provider, or Comcast Business accounts can have inbound/outbound port 25.

@user_12vvs6​ Inbound port 25 has been blocked for quite a while, as the Residential ToS/AUP says that users will not run servers (or something like that).  That suggests that one should not be running an inbound service on port 25 (as a server).

Blocked internet ports list - Xfinity Support

Comcast Acceptable Use Policy for High-Speed Internet (xfinity.com)

Another option is Comcast Business services, which do allow for port 25 (inbound and outbound), as well as other ports blocked per policy by the Residential AUP.