Contributor
•
22 Messages
Comcast incoming email blockage -- and Xfinity / Comcast support circus
Wow. I'm four days into an "escalating ticket" circus at Comcast, and it's just getting more and more Kafka-esque. Maybe they'll actually call back today.
FWIW, I am a Comcast/Xfinity home user. But that has nothing to do with my problem.
The basics: I have a mail server that runs a few small domains (a couple dozen users) that is being blocked by incoming Comcast mail servers. Every other destination is working fine (including Outlook, Yahoo!, Gmail, etc); my server is being blocked only by Comcast.
At first, the problem seemed to be a (seemingly new) requirement by Comcast mail servers that the PTR ("reverse DNS") record match that of the "forward" lookup. This was true for my IPv4 address, but not for the IPv6 that was often being used recently. So I fixed that problem on my end, and the message received by my server when contacting any of the @comcast.net mail servers changed from a "551" error (a 'hard block') to a "421" error -- "ESMTP server temporarily not available". This is a temporary error, which causes my mail server (anybody's mail server, really) to queue the messages and try again later.
But it's been two weeks, and I'm still getting a 421.
So I went to the Postmaster tools page for Comcast, which has a form for submitting my IP addresses and requesting them to get unblocked. Which I duly filled out, with an explanation like the above.
I got back an email saying that there was no blocking for my IP addresses. Which I know is patently untrue, as I can reach Comcast's mail servers and get a regular "220" response ("continue with sending mail") from multiple of my other servers, every single time. So despite them saying that my IP addresses are not blocked, I can easily demonstrate that they are; as connecting on port 25 from any other server I have works fine, and connecting from my mail server returns "551" immediately -- there can be no other checks except for IP address, as I am unable to send any other information.
So I found the number for Xfinity "security" and, after much dumping of information, got them to create a ticket. They promised a callback, which actually happened, and they took some more information.
Now, let me say right here that I can't blame the people who called for not understanding my problem. They were simply trying to gather information in order to sort the ticket to the correct department and priority. None of them had any idea what "connecting to port 25" meant, or really, anything having to do with my problem. But I duly sent (via email) some scripts of me connecting to their servers via telnet, which clearly would demonstrate (to an email sysop anyway) the problem -- that my IP addresses are being blocked. All I could hope for was that this would get sent to someone who knows what "port 25" means.
At some point, I talked to someone who said my issue (with a new ticket number) was escalated to "level 3 engineering", and that I would receive a callback within 24 hours.
After not receiving such callback in 24 hours, I called back with my ticket number. After 15-20m, I got a response that they would definitely call back "in the morning". Morning came and went, and so I called again. Another 20m waiting on the phone while call center chatter went on in the background, and finally someone said that yet another ticket number had been generated, but this time they would definitely call back "today".
I've been very understanding and kindly to the multiple help desk people I've talked to, especially since there is little chance of them understanding my problem -- all I can hope is that they can "escalate" it to someone who does understand. But it's just a classic "may I verify your Xfinity customer information?" circus every single time I contact them, then getting yet another agent who asks "so you cannot send mail from your Xfinity account?", and me gently explaining the problem further.
It will take some email sysop 10 seconds to delete my two IP addresses from whatever table their mail servers are using to block them. Maybe that costs Xfinity $10 of his time. In the mean time, I am going to call Xfinity every single day, costing them maybe $100's in worthless support time, until I can find that person.
XfinityChelseaB
Official Employee
•
1.2K Messages
4 months ago
Hello @creeble, Thanks so much for taking a moment out of your day to leave a post on our community forum. Please check out Why is port 25 for email submission not supported? for more information.
3
0
creeble
Contributor
•
22 Messages
4 months ago
The comedy continues.
So I finally got a callback from someone in "email security". They claim to understand the issue, have the email I sent showing the connection dialog, and would like to diagnose the issue. Yay!
But they claim that there are no connections from my server to (presumably) any Comcast mail servers. Well, I mean, that connection dialog in the email clearly shows a connection, so either they aren't looking in the right place, or they aren't actually logging all connections.
So this agent asks me to perform a traceroute from my server to theirs. This is obviously an absurd request, for two reasons:
1) Their servers / network filter ICMP packets (can't ping any Comcast mail servers), so the traceroute is always going to fail, and
2) My server is clearly contacting their server because I get a connection, and a connection message. A traceroute success or failure will prove nothing.
I try explaining this to the agent as clearly as possible, but he didn't seem to be getting it. "I don't see a connection, so would you provide a traceroute" he says. "I don't need to provide a traceroute, I am clearly connecting to your server" I replied, starting to lose whatever cool I might have had when we started.
I don't like correcting sysops that are clearly trying to help me. "But if you are getting an error, a traceroute could help" he says. "No, it can't -- the error I'm getting is from your server. I don't know why you can't find my connection, but it's there, and the connection dialog I sent clearly shows it. This is not a timeout error, or any other kind of routing error -- I am connecting to your server! I am just getting an SMTP 421 response. Do you know how SMTP works?"
Okay, that's maybe a little rude. Except that he clearly didn't know how SMTP works, or he would have been able to identify the 421 resimta-c2p-559799.sys.comcast.net resimta-c2p-559799.sys.comcast.net ESMTP server temporarily not available error as clearly coming from their server, not some routing error that maybe a traceroute would be able to help diagnose.
Sadly, I wasn't near my computer at the time he called (I was at lunch), so I asked for his number, which he graciously gave. I've been calling him back for the last 12 hours to no avail.
I'm sorry for getting a little upset about talking to someone who doesn't understand SMTP or even TCP when they represent themselves as a technician who can help with my problem, but there it is. There is no amount of traceroute-ing that is going to help diagnose a problem that is happening when a TCP connection is already working. It ain't a Layer 3 problem.
Anyway, the frustration / comedy continues. I like having a place to vent; I'll update if I ever get through or get another agent; maybe one who understand SMTP.
1
creeble
Contributor
•
22 Messages
4 months ago
The saga continues -- and ends?
So today, having not received any calls (once again) from Comcast, I called the Security Division again, with my ticket number. Once again they authenticated me, then on hold for 10-15m while they look up the ticket and context.
They see that, indeed, the ticket is still open. They promise to connect me to a "security level 2" agent, and I'm on hold for another 15m or so; fine. I talk to someone who had to look the ticket up again (and authenticate me again as an Xfinity/Comcast customer), and they tell me that I will definitely get a call from the agent with whom I spoke yesterday. Okay, well, two messages to his VM today, but whatever.
And sure enough, he calls about 15m later. Authenticates me once again. We talk. He decides to call someone a little higher up, and get an answer while I'm on hold. Great! We're moving forward!
The person he spoke with recommended I check my (reverse) DNS -- "that's the message you get when your DNS isn't configured properly."
Except, no, it's not the message you get when your PTR record doesn't match your host name. You get a 554 from their servers when this happens (ask me how I know). Your connection also gets immediately dropped, which doesn't happen with the 421 response I get.
So he goes back to the Level 3 engineer or whoever it was, who seems to actually know something about email, and presumably elucidated him with this useful information.
And guess what he gets back? "Wrong department." I should be talking to the Postmaster people! Like, at spa.xfinity.com, where I started by sending in my two IP addresses and asking for an unblock. Over two weeks ago. When they immediately sent me back a "they're not blocked" email. He wants me to go there and send it again.
"Oh, please, please tell me that you'll keep the ticket open?" I beg. "No, we need to close this ticket; it is only valid within the Security department."
I'm too much of a Stoic to cry, but it's not like I don't know how this Kafka movie ends. Kafka wrote comedy, so I just laugh instead.
And now for the punch line.
So I head out to lunch, finally, with my coffee-shop laptop in hand. I will dutifully fill out the Postmaster request form, once again, and give them my tale of woe. Twenty-five minutes later, with my cappuccino in hand, I open a couple of terminal windows to my server to make sure I have the right IP addresses to report, and begin filling in the form. I get to the last box, where I can make my free-form appeal, with no apparent limit on size; oh joyful day. I once again want to copy and paste the exact 421 response I am getting from Comcast's mail servers, so I telnet in to a random one like I've done one or two hundred times in the last two weeks, and...
I get a 220. I'm unblocked.
Huh. No reason to push the "Review" button on the form, I guess.
Will I ever get an email confirmation of the removal of the block? Yeah, right. Will they contact me at all? What for, it's working! For now, anyway.
So I flush the queue, and two weeks worth of emails to a dozen or so @comcast.net email addresses go out to their servers, with no issues at all.
Is there a moral to this story? All I can is that if you are an innocent serf-postmaster/sysop who is suddenly blocked from sending emails to @comcast.net addresses (and this forum seems to have many such cases), I have two words for you:
Good Luck.
And for all you @comcast.net customers (and I am one, or I could not be posting in this forum), please stop using Comcast as your email provider, and make the painful move to... just about anyone else. You'll be happier, and so will Comcast. Email is just cost to them. And it cost them a lot to fix my issue.
2
PleaseFixThis_
11 Messages
4 months ago
Basically got the same response. That domain is not blocked and that I needed to call back the sender to let them know. I’m just the email user. Why is it MY responsibility to resolve an email issue between two billion dollar companies because IT can’t talk to each other or Comcast refuses to dig deep and figure this out. Argh.
1