Secure SMTP stopped working

Keithj · Oct 04, 2015, 16:36:06

My daughter and I both travel, and both use my IDNet account to send mail - not just from IDNet addresses, but from our personal domains. It's worked well since I joined IDNet from another ISP who also offered (and still offers) this facility.

As of last Friday morning, the SMTP server started refusing messages from our personal domains - except when connected to the IDNet VDSL at home. This is causing us all kinds of problems!

I was told that the reason for the change is spam elimination. That seems odd to me, because the sender has to log on with an ID and password. If there's spam, IDNet knows exactly who the spammer is, and can deal with that account. Also, the IDNet SMTP won't accept more than 100 messages an hour, and spammers send rather more than that.

Is this an error by someone at IDNet who set a wrong flag, or do I have to go looking for a new ISP? I like the IDNet service otherwise - a bit dearer than most, but it works well. Is there a "trusted customer" option that allows secure SMTP from mobile devices and personal domains?

Simon · Oct 04, 2015, 17:06:12

I've never heard of a "trusted customer" option, but I guess they have a right to refuse to allow SMTP traffic from certain other domains. If yours is a personal domain, though, it seems odd for them to have blocked it, especially given that you're an IDNet customer. Who are you actually using as a mobile internet connection? I did have a problem with O2 once, where a range of their IPs was blocked for spamming. I guess it's possible that you may be using an IP in a banned range?

davej99 · Oct 04, 2015, 17:29:57

Seems to be something odd with SMTP server using two different non IDNET UK IPs. I am getting rejected, "You are not connected from an IDNET IP" using Windows Mail to send, but not using Office Outlook on same machine or using Android tablet. POP & IMAP work fine.

pctech · Oct 04, 2015, 17:57:02

They MIGHT have limited it to UK IPs because in the event of any abuse using stolen credentials from a compromised device it is easier for them to contact and deal with a UK based provider than it is with a non UK based one.

nowster · Oct 04, 2015, 22:44:45

Not accepting "off net" SMTP for relaying is standard practice, and has been for over a decade.

Do iDNet do authenticated SMTP at all?

Keithj · Oct 05, 2015, 16:18:24

Quote from: nowster on Oct 04, 2015, 22:44:45
Not accepting "off net" SMTP for relaying is standard practice, and has been for over a decade.

Do iDNet do authenticated SMTP at all?

"Off-net" with no authentication has not been accepted (outside a few known open relays) for a very long time.

"Secure SMTP" where the user is required to enter an ID and a password before sending from another domain while outside the ISP network has been around for a very long time, too. IDNet offered it until last Friday, when it was summarily turned off with no warning and no explanation other than "spam" - which doesn't ring true given that the sender has to identify so offenders can be isolated. IDNet also limited such senders to (I recall) 100 messages an hour - which would cramp the style of any spammer. My previous ISP offered it. Some others still do.

It was very useful when travelling in the UK, using the O2 or free WIFi wherever I happened to be. It will make me rethink who I use as an ISP.
I can still send from those non-IDNet domains from home, but almost all ISPs allow that with no special security needed - because they know who the sender is, just as when the sender has to log in with a name and ID (oh...).

SMTP2GO offers the service, for $45 plus UK VAT a year for up to 2000 messages a month. Curious that IDNet couldn't use that model.

Keithj · Oct 05, 2015, 16:22:38

Quote from: Simon on Oct 04, 2015, 17:06:12
I guess it's possible that you may be using an IP in a banned range?

The IDNet heldesk confirmed to me on Friday that the whole facility has been turned off, and will not be returning.

colirv · Oct 05, 2015, 17:08:34

Does this mean that when I'm next on my ultrabook using a hotel's wi-fi, through my VPN, I won't be able to send emails using IDNet's SMTP? That seems a bit off.

Keithj · Oct 05, 2015, 17:29:51

Not sure. If you're connected via your VPN at home, will IDNet not see you as being at home, so on the IDNet connection?

I've not tested that with mine, but may do later. Having to connect to a VPN to send mail will work from WiFi (I suppose) but could be a faff when on a poor mobile signal. Much of mine in these rural parts goes out as GPRS, and I've never managed to get the VPN to work on that.

Steve · Oct 05, 2015, 19:10:32

I've just sent an email via IDNets smtp ( password authenticated) server from outside of their network, no issue found.

Keithj · Oct 05, 2015, 19:23:10

Just tried mine again, using the O2 connection on my iPad, and got the message "The sender address was rejected by the server", which is the same as my daughter and I have been getting since last Friday. She from WiFi in Germany, me from O2 here.

If I connect to the home WiFi, which is on an IDNet account, then it works.

colirv · Oct 05, 2015, 19:48:07

Quote from: Keithj on Oct 05, 2015, 17:29:51
If you're connected via your VPN at home, will IDNet not see you as being at home, so on the IDNet connection?

I only use the VPN away from home.

Keithj · Oct 05, 2015, 22:24:35

Sorry - bad wording: "connected to your home VPN".
I don't think it's possible to connect to a home VPN when you're already at home and on the home WiFi. Mine refuses the connection if I try (I did, once).

nowster · Oct 05, 2015, 23:03:11

Pretty poor show, given the small number of people who would be using it, and the very easy traceability of abuse.

Are you using the host smtp.idnet.net port 587? (or with SSL on 465)?

It looks like that host is supporting STARTTLS and AUTH PLAIN.

Keithj · Oct 05, 2015, 23:39:35

I was using smtp.idnet.com port 587 with SSL, ID, and password.
That still works when I'm at home on the IDNet VDSL, but won't work when off IDNet.

As you say, poor show.

Ray · Oct 06, 2015, 08:50:16

I don't have any problem sending password authenticated email via Idnet using my mobile on the EE network either, I'm using smtp.idnet.com on port 587 with TLS encryption.

Keithj · Oct 06, 2015, 10:08:29

VERY strange! My daughter's and mine (different IDs and passwords) both stopped working last Friday. When I contacted the IDNet helpdesk, they said the facility had been turned off for everyone because there had been complaints of spamming (not from us, just generic).

Maybe they are working down the list of customers and disconnecting them one by one. Or perhaps EE is "favoured" and O2, BTInternet and web.de aren't.

Gary · Oct 06, 2015, 10:32:12

Quote from: Ray on Oct 06, 2015, 08:50:16
I don't have any problem sending password authenticated email via Idnet using my mobile on the EE network either, I'm using smtp.idnet.com on port 587 with TLS encryption.

Same here, Ray.

Keithj · Oct 06, 2015, 11:19:02

Something to do with karma on here, perhaps. I just reset mine to those settings, and IDNet refused to process it from the O2 network. SMTP2GO worked fine.

Steve · Oct 06, 2015, 19:46:42

Another forum I use occassionally often ban O2 Ip addresses, I guess one bad penny and a whole block is banned.

nowster · Oct 07, 2015, 08:28:14

Now that's a possibility... They're applying spam filtering at the origin IP address level. But you should only do that for the SMTP port (25/tcp), and not apply it to authenticated sessions on the submission port (587/tcp).

mchunt_idnet · Oct 07, 2015, 12:03:58

Last week we introduced a new mail server to handle smtp.idnet.net and smtp.idnet.com.

As part of this upgrade we turned off support for the obsolete SSLv3 encryption protocol and enabled TLSv1.2 (in additional to TLSv1 & TLSv1.1), some very old mail clients may not handle TLS and these will need upgrading or replacing (Thunderbird Mac & PC has been tested and works fully).

We have not disabled authenticated authenticated email (SASL) so you can still send from non IDNet IP addresses and lots of customers are doing this successfully.

We no longer use the Hostkarma blocks for outgoing mail so access from mobile networks should be more reliable and sending via O2 is working fine from my phone.

If you are sending mail from a non IDNet email address using a non IDNet internet connection via our mail servers then active customers can add that email address into the 3rd party email addresses section within the customer portal to raise the quota and ensure connections are allowed.

Simon · Oct 07, 2015, 14:39:40

Thanks for the explanation, Martin. I'll put this in a separate post for reference.

nowster · Oct 07, 2015, 15:28:17

Removing SSLv3 is a good thing in my book.

Those with problems will have older email programs (look to updating) or may even be subject to man-in-the-middle monitoring from, say, a corporate firewall.

Keithj · Oct 14, 2015, 18:45:33

I just got back from an unplanned few days in hospital. I couldn't send e-mail from my non-IDNet address using IDNet on my iPhone. That only has the option "SSL" or "Not SSL". It was a pesky nuisance, saved by SMTP2GO.

I'll see if I can find how to add it into the 3rd party email addresses section within the customer portal.

It's a pity IDNet didn't write to customers to warn them, or to tell them how to fix it.