Can you run your own SOHO E-Mail Server?

Can you run your own SOHO E-Mail Server?

Summary: Of course, you can... if your ISP will let you do it.


I've been running my own e-mail servers for decades. After all, back in the 80s I was helping run NASA Goddard Space Flight Center's e-mail systems and let me tell you in those days it wasn't easy! Today, thanks to easy e-mail servers such as CapeSoft Email Server, hMailServer, and Zimbra pretty much any tech savvy user can run an e-mail server. Heck, if you're a step above a power user you can even run OpenExchange and fully support Outlook users without breaking a sweat. If, that is, your Internet Service Provider (ISP) will let you do it.

As a recent Slashdot reader found out, many ISPs won't let you run your own mail server. Specifically they block port 25, the Simple Mail Transfer Protocol (SMTP) port, which is used for sending mail. If you can't send mail, there's not much point in having a mail server.

While some Slashdot readers were outraged by this, there's nothing new here. Comcast, AT&T, and Cox to name but a few ISPs, block port 25 as a matter of course and they've done it for years. Why? As one person put it, "Most ISPs block outgoing port 25 because 99.99% of that traffic is viruses or otherwise malicious computers trying to send spam. Even more mail services block all dynamic pools used by major ISPs because of the same reason."

He's right of course. Many Windows malware programs and botnets attempt to send spam via port 25. Indeed, most botnets are designed expressly to send spam. Indeed last year, Daren Lewis, a Symantec security analyst found that 80 percent of all spam is sent by these the 10 spam botnets use about five million Windows PCs to send out 135 billion spam messages a day. So, who can blame most ISPs for just blocking port 25?

Well, those few users who do know enough to run their own mail servers from their SOHO (small office/home offices) and small businesses can and do blame them. If you're like me, Gmail may all fine and dandy, but you like having real control over your mail, mailing lists, and the like. So what can you do?

Well, for starters, you can avoid using port 25, and use port 465 instead for secure SMTP. It's far rarer, but not unknown, for ISPs to block this port. It's also makes your outgoing e-mail much harder for any would-be spies to read.

My own answer for many years has been to run my own SMTP server from a hosted server. If, as has happened, my ISP tries to block my mail clients from using ports 25 or 465 to get to it, I call them up, fight my way through technical support to two levels above the usual tech.  support suspects and ask for the ports to be opened. So far, I'm batting 1.000 with this approach.

If for some reason they wouldn't do it, I'd--while looking for a new ISP--I'd switch my e-mail server and client ports to another port, say 2525, and use it instead.

If you're not sure if it's your ISP, or maybe you thanks to a firewall or mail server setting blunder, I highly recommend using MXToolbox an online set of e-mail trouble-analysis tools to get a handle on where the problem is happening. If it is your ISP, get on the phone. If it's not, there are far too many possible problems for me to try to give you even a sketch of what might be wrong. Odds are though if you've been mailing along without any trouble and then your mail server and/or clients can't connect, that it's your ISP and they've just blocked one or more of the SMTP ports. Good luck!

Topics: Browser, Collaboration, Enterprise Software, Security, Servers, Software, Telcos

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Hmmmm

    I just bought and installed MS Small Business Server. Exchange works well and it's easy to set up ;-)
  • Been running postfix on AT&T for years

    Postfix on Linux is probably the best and most secure e-mail server there is. I've been using it on AT&T DSL and now U-Verse for 6-1/2 years. Here's what you need to do:

    1) Get at least one static IP address with AT&T (I have 5)
    2) Run your own primary and secondary DNS servers, or use your registrar's DNS functionality. Set up both forward and reverse DNS entries, and the MX entry for your domain's mail server. It's very important that you have your ducks in a row here, because most mail servers will do a reverse DNS lookup on you, and toss any email coming from an IP address whose reverse DNS doesn't match the domain you're claiming to be sending email from.
    3) Tell AT&T not to block port 25 on your static IPs. This requires a support ticket, but they'll do it for you.
    4) Tell AT&T to delegate the reverse DNS for your block of IPs to your (or your registrar's) DNS servers. If you don't do this, the reverse DNS lookups on your IPs will give some generic name within AT&T's reverse DNS naming scheme. You don't want that -- you want it to give the domain name of the mail server host when you do a reverse DNS lookup on the mail server's IP address. Again, getting the reverse DNS delegated to your server requires a support ticket, but AT&T will do it if you ask -- as long as you're paying the extra $5 - $15/month for the static IP addresses, which you'll have to have in order to run a mail server any way.
    5) Once everything's up and running, use mxtoolbox or some other online mail server testing facility to test your setup. Fix whatever's wrong.
    6) I recommend installing DomainKeys and DKIM if you plan to send to any of Yahoo's domains. Fail to do this, and your emails will get dropped like a hot potato.
    • RE: Can you run your own SOHO E-Mail Server?

      I agree with most of what you've said. You will need a static IP, although in my experience you don't necessarily need a correct RDNS or DomainKeys/DKIM IF you have SPF properly implemented.

      I recently switched providers and purposefully did not request a customized RDNS entry (yet) just to see if I had any problems sending e-mail. After three weeks I'm still OK. I also just checked sending to a email address and that also worked OK.

      I do have SPF properly implemented, and I'm running Microsoft SBS 2003 (Exchange).

      My domain and website are hosted at one of the large providers and I use their DNS servers with an MX record pointing to the external static IP of my server.

      For inbound spam filtering I use several of the free RBL's via Exchange's built in connection filtering and that seems to stop 98% or more of the junk. Overall things work very well.
    • RE: Can you run your own SOHO E-Mail Server?

      @roncemer "recommend installing DomainKeys and DKIM if you plan to send to any of Yahoo's domains. Fail to do this, and your emails will get dropped like a hot potato. "

      Yes, and that will only become more common as time rolls by--but DomainKeys & DKIM is a story for another day.

    • Sendmail & dovecot

      Static IP (not dynamic dns rubbish), tell ISP to open outgoing 25 (might require a "business" plan), set static IP's reverse DNS to the MX record (most ISP will do this for you), or use ISPs reverse DNS entry, use a SPF record.

      Last two points essential for spam.

      Mac mini with OS X Server is great price (unlimited client license unlike Exchange). Includes open calendaring server (unlike Linux - groan). CentOS the budget option. MS Exchange for the comedy and frustration.

      Set sendmail to receive authenication email on port 587 and use this port when configuring outgoing email on desktop clients (users will typically have outgoing port 25 blocked).
      Richard Flude
  • Message has been deleted.

    Tim Cook
    • RE: Can you run your own SOHO E-Mail Server?

      @Mister Spock
      If its linux then you can guarantee port 23 will be wide open.
      Loverock Davidson
      • RE: Can you run your own SOHO E-Mail Server?

        @Loverock Davidson
        Port 23 is closed, Idiot.
      • Hard to Believe

        @Loverock Davidson
        I find it hard to believe that you know enough to know what the default telnet port is and don't know enough to realize that the telnet is pretty much never used or left open on an Internet facing network port. That's why they invented ssh. You must know this, so you must just be trolling or trying to spread misinformation.
    • Find a Spam Sending Linux Malware and We'll See

      @Mister Spock
      Sending spam usually isn't worth it without a botnet, and botnets have never been successful enough on Linux to be worth bothering with.
  • RE: Can you run your own SOHO E-Mail Server?

    I've discussed how to check if your mail server looks like a spam source and legal, management and economics issues of running your own mail server in these two articles:

    Marco F.
  • RE: Can you run your own SOHO E-Mail Server?

    I've been running my own SOHO e-mail server (sendmail on Linux) for about ten years. The only spam problems I have are 1) inbound and 2) the twit who had my IP address before me wasn't careful so my IP address was in several RBLs.

    All is good now. My IP address is out of at least the most commonly used RBLs and my wife and I have our own e-mail server. Really nice for doing things like setting up aliases, dummy accounts if we need a throw away e-mail address, etc.

  • It's just simply too expensive

    A static IP alone would cost more than 200 USD/month from any of my local ISPs....
    • Re: It's just simply too expensive


      Say what? I think I'm paying my ISP an extra $5 or $10 a month for a static IP address. We are talking a SOHO server here so I'm assuming you'll just have a DSL or cable connection.

  • Missing the point

    You seem to be missing the point of port 25 being blocked. It's not about your own systems connecting to your server to send mail out - as you point out, it's trivial to change your configuration to use just about any port at all for this purpose. The issue is when you're 'running your own server' in the sense of getting an MX record and accepting mail from anywhere for delivery to your own domain. If you own and you want to run a mail server so that can send an email to , you're going to need port 25, because Google is going to try and connect to your server on port 25 to deliver that mail. There is no way you can tell Google to go and connect to a different port; that's just not an option in the relevant specs. Email gets delivered on port 25, and that's all there is to it.

    If you can't get a service from your ISP that comes with port 25 unblocked, what you can do is use No-IP's Mail Reflector service - . It's not particularly cheap, but it is cheaper than getting a hosted server, probably. Of course it's not cheaper than just giving up and letting Google do it for you, but then where's the fun in that.

    The other issue you don't mention is spam blacklist services, which often list IP blocks known to be used by residential ISPs. Many ISPs will run mail through something like SpamAssassin, and if it sees the mail originated from an IP range marked by one of the popular blacklisting services, that'll hurt its score. There's not much you can do about that besides, again, getting some service from your ISP, usually their static IP or business option, which gives you an IP from outside the consumer pool.
  • We Use hMailServer to Get Around Port 25

    Our hosting provider handles our business email, but we needed to setup an email server for a unique purpose. One of our core applications has the ability to send email notifications, which are critical to our business operations and which occur randomly throughout the day and night. However, the application is limited to port 25, which our ISP blocks, of course. The provider of the application hasn't provided a solution that allows email on any other port, so we came up with our own free and (relatively) easy workaround.

    I installed hMailServer on the same workstation that has the application that sends emails. I have zero experience setting up email servers, but I muddled through it and it works. Essentially the application sends the email to the email account we have setup on hMailServer. From there, it automatically relays to our hosted email. We receive the email notifications within 15-30 seconds from when the application first sends it.

    This solution doesn't do away with outside email services altogether, but it does solve the Port 25 issue. The other solution, as indicated by @DaveAtFraud , is a static IP, which is not that expensive.