Oshunluvr,

On the Pi I have two config files:
/etc/ssh/ssh_config
/etc/ssh/sshd_config

Do I change port 22 to whatever in both of those, and then edit ~/.ssh/config on my laptop?

Changed the port in /etc/ssh/sshd_config and restarted sshd.

Added the following to my ~/.ssh/config :

Changed the port on my router's firewall.

Everything works!

I periodically scan the forums at www.dslreports.com and similar sites to find out what people report about Comcast, my ISP. Their T&Cs regarding servers can be interpreted in different ways. The conventional wisdom is that if you don't exhibit obvious misbehavior, they'll pretty much leave you alone. Especially if you're a long-time customer with a good track record of paying the monthly bill on time. Since SMTP and SSH tend to attract a lot of abuse, the extra steps I've taken to reduce my attractiveness to bad guys seems wise.

Yes, that's right.

Various ways... running an open relay, sending high volumes of mail from dynamic IP pools, having your MX record resolve to a dynamic pool, not having a PTR record for your mail server. These are the more common things the block list maintainers look for.

Yeah the research I did at the time indicated that most ISPs operate like this - you're fine until they notice you, and they won't notice you unless you cause them a problem (by using too much bandwidth etc). Fair enough really.

That makes sense, thanks for explaining why you've set things up the way you have.

What exactly is an open relay? Is that just a forwarding point from one mail server to the next, or somewhere that allows anyone to send mail (from foo@yourdomain.com)?

That's the first I've heard of PTR records. I read this:

http://aplawrence.com/Blog/B961.html

and then tried this:

If my PTR record was set up properly, the answer section for dig -x should show samhobbs.co.uk, right? The article indicates that my ISP controls the PTR record, I'm not sure if I'm able to change it.

I guess that's one more reason to use a relay?

Feathers

Say you have a server hosting mail for foo.com. If someone can connect to your mail server and send mail from alice@bar.net to bob@qux.org, then your server is an open relay: neither the sender nor the receiver have addresses in foo.com. This was one of the original techniques spammers used years ago. Nowadays, it'll land you on a block list within hours.

To not be an open relay, the server must block such attempts. You do this by configuring it to require that one of the addresses be in the foo.com domain. There's plenty of material on the web that documents correct Postfix settings for this. The iRedMail script sets it properly, and so does Ubuntu's mail-stack-delivery package.

You can test your setup by telneting to your mail server on whatever port it listens for incoming connections and engaging it in a brief SMTP conversation. Below, the bold items are my typing. You'll see that neither the sender nor the receiver are in my domain, and that the server therefore rejects my attempt:

Press Ctrl+RightBracket to get the telnet> prompt, and then enter quit.

Right -- you don't own your IP address, your ISP does. They control allocation. So while it's possible to have any number of A records that all resolve to the same IP address, only one PTR record can exist for that address. The PTR record is maintained in the DNS server of the entity that owns that address range.

Different receiving mail servers handle the existence of PTRs in different ways. Almost every server these days requires some kind of response; some actually compare what's in the EHLO statement to the rDNS result and require that they match. Wikipedia's brief discussion of PTR/reverse DNS checks is a good place to start learning more.

The beauty of using a relay service (like Dyn) is that they take care of this for you.

Thanks for the explanation.

Just checked, and it's all good - I also get a relaying denied response.

Shame I can't change the PTR, I may have to look into Dyn or a similar service if I have any problems sending mail.

Feathers