U

Visitor

 • 

4 Messages

Monday, November 7th, 2022 1:40 AM

Closed

port 25 unblock, Art of the (Business as Usual) Runaround, and "Is there anybody out there?"

I'm an Xfinity residential internet customer.

To me it's a simple pipe.
I don't use your email servers to send/receive.
I don't run any servers, or provide any servcies of any kind.

I do need to run diagnostics to services out on the 'net.

That includes the ability to connect to other mailservers on the 'net, to verify operation (e.g., telnet server.example.cpm 25) or grab/check an SSL certificate (e.g., openssl s_client --connect server.example.com:25 -starttls smtp).

That connection is from a simple command line shell.  It does not involve any email MTA, etc.

I'm unable to do so because Comcast/Xfinity blocks in/out-bound port 25 on IPv4/IPv6.
(Well, unable to do so without circumventing Comcast's network nonsense either via a vpn/tunnel, or just plugging into one of my other ISPs ...)

How do I know this?

(1) I can demonstrate it to myself

 shell -> Comcast connection -> any server @ port 25, no response.
 shell -> Comcast connection -> any server @ any other port, works fine
 shell -> OTHER ISP connection -> any server @ any port, works fine

i.e., only the port 25 connections over Comcast fail.

(2) Comcast SAYS that port 25 is blocked

 https://www.xfinity.com/support/articles/list-of-blocked-ports

and 

(3) says it AGAIN

 https://corporate.comcast.com/comcast-voices/updated-management-of-smtp-port-25   

 "In order to ensure a more secure network and email domain, Comcast will no longer by default allow access to port 25 for our RESIDENTIAL Internet users. In addition, we are asking comcast.net email users to migrate to port 465, which offers SSL encryption. We will continue to support the industry standard port 587."

AND then immediately continues that residential users can request an UNBLOCK,

 "Upon request to our Customer Security Assurance team this block can be removed, enabling access to use port 25 for other email domains, though the comcast.net email servers will no longer accept submission via port 25."


I called 

 COMCAST Customer Security Assurance @ 1-888-565-4329

They checked with their technical upstream, assured me that it could/would be done, and opened a Case (#IH XXX XXX XXX).

They informed me that I would need to contact the "Internet Essentials dept" (855-846-8376), give them the above Case #, "which contains all the information they need", to have the work done.

That wasn't successful.  After hours of runaround, I was sent BACK to CSA.

Who next transferred me back to Technical Support.

Rinse, repeat, for hours more.

Finally, in online chat, 'support person #8' (or thereabouts ...) FINALLY, in response to my request to:

 "Unblock port 25 access for my line/account.  Both in- and out-bound, both IPv4 & IPv6."

Answered,

 "I have successfully proceed the needful and it might take upto 60 minutes to unblock. that's the confirmation number CR Ticket #CRXXXXXXXXX"

3 hours later, still nothing.

I went back online, in the same chat, to ask, and was told,

 "As checked the ticket raised was not regarding unblocking the port 25. In order to check if the port can be unblocked I would suggest you to get in touch with our customer security assurance team at 1-888-565-4329 as they take care of such concerns and will help you out."

I.e., now at the ~9 hour, after countless phone calls & chats, mark, back to First Base.

So, one last time, I called CSA again.  As usual, they first provided their usual inistinctively knee-jerk "can't be done" response.  After I shared the above^^^ episode with them, they said "then we will transfer you to the right department" and ...

... wait for it ...

transferred be back again to Tech Support, with yet-another promised hold time of an hour or so.

I hung up.

Now I'm here.

My only question, "screaming into the void", is:

 IS THERE REALLY NOONE @ COMCAST/XFINITY THAT'S READY/WILLING/ABLE TO DO WHAT YOU PROMISE IN WRITING ON YOUR OWN WEBSITE, AND IN REPEATED CONVERSATIONS AND TICKETS?

I'm fully aware this is not an atypical experience @ Comcast/Xfinity support; it's reputation precedes it.

And I'm pretty sure I know the answer.  But thought I'd ask, anyway ...


Visitor

 • 

4 Messages

2 years ago

Not sure why this was moved by a moderator to 'Email', as it has absolutely nothing to do with Comcast/Xfinity email -- which I do not now, and never will use.

instead, it has to do with default-applied TCP port 25 blocks.  I.e., an internet service network policy issue.

Am I suspicious that there's yet another assumption that port 25 is only about email clients, bots, malware, etc? Well ....

(edited)

Official Employee

 • 

1K Messages

2 years ago

Good afternoon,

The port should be open to you now. Primarily the port is used for and concerns for email related issues. Even if you don't use it for email purposes. Its a port that can be used for many purposes, but is most commonly used in email exploits as mentioned in the article you posted. Port 25 is a bit of a multi-tool. One port for many purposes. Its possible it got moved here by another employee so I could take a look at this for you. It's generally recommended to use other available ports. Few caveats to this being unblocked for you - you are responsible for all traffic now originating over port 25 from your network. Abuse of this port(by you directly or not) will result in the loss of the port and remove access to the port going forward. 

(edited)

Visitor

 • 

4 Messages

2 years ago



> The port should be open to you now

It is.  TCP probes to port 25 servers on the 'net now work as expected. Thanks.


(and, "so people with similar questions may benefit from the conversation." ...)

>  but is most commonly used in email exploits as mentioned in the article you posted

commonly, yes.  solely, no.

It's unhelpful when the phone/chat support "Tier 2" staff rattle off that boilerplate as if it's gospel, without a real clue.

But that's them.

> It's generally recommended to use other available ports

Sure, where possible.

port 25 is of course the default receive port for SMTP servers.  that's not going to change anytime soon.

The need to communicate to those servers on port 25 is real & legitimate.

> Its possible it got moved here by another employee so I could take a look at this for you.

I've learned to come here to forums, and completely ignore the Xfinity phone/chat support channels.

> Few caveats to this being unblocked for you - you are responsible for all traffic now originating over port 25 from your network. Abuse of this port(by you directly or not) will result in the loss of the port and remove access to the port going forward.

Understood, I'm good.  My network is locked down well and under control.  I've no public-facing services.

That said, can we hold Xfinity/Comcast to the same standard?  So that it takes responsibility for all abusive traffic originating from its network (by you directly or not), arriving at mine?

Since you felt it necessary to make a point, I thought it'd be fair to ask in return! ;-)





Thx o/

Official Employee

 • 

1K Messages

@user_edf38f​ 

Good afternoon,

We do take responsibility for any abusive traffic originating from our network :)
Please review the following if you would like to report something:
https://internetsecurity.xfinity.com/help/report-abuse

Apologies if it seemed like I was trying to make a point with that statement, its simply something I must state no matter the person or their experience with network management. Let's just say a precedence has been set where its required that we make the statement that abuse of the port will result in loss of it. For what its worth, we are investigating the service you experienced over the phone/chat to ensure we can provide a level of customer service that our customers deserve. 

I am an Official Xfinity Employee.
Official Employees are from multiple teams within Xfinity: CARE, Product, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Please, mark a reply as the Accepted Answer.tick

Visitor

 • 

1 Message

2 years ago

I've had this same experience today. called two weeks ago and they created a ticket on my account: "yes, port 25 will be opened for you. you'll get an email when this happens." Long story short, still blocked as of today. spent the last 5 hours on the phone with about 15 xfinity people. tech support, supervisors, the "CSA email" people, etc. and gave the same explanation at least 25 times: I work from home and my job requires me to be able to access port 25 for my IT work. when i try to connect to a server (outgoing) the connection times out. when a server outside tries to connect to me via port 25 (incoming) it tries and retries and eventually aborts. i cannot do my job with ports blocked on my internet connection. PLEASE help me fix this problem.

https://corporate.comcast.com/comcast-voices/updated-management-of-smtp-port-25
"Upon request to our Customer Security Assurance team this block can be removed, enabling access to use port 25 for other email domains, though the comcast.net email servers will no longer accept submission via port 25." -- nobody seems to know *how* to request this or how to actually perform the unblock.

PLEASE HELP!

Expert

 • 

31K Messages

@mike_b15 

Please start a new thread with this issue so that @XfinityCSAEmail can take a look at it for you.

Thanks!

Closing this thread.

(edited)

I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.

Was your question answered? Please mark an Accepted Answer!tick
forum icon

New to the Community?

Start Here