SMTP Nightmare Before Christmas

Just before Christmas we stayed in a very nice hotel with very little clue about what is going on with their network. To cut down on the support calls to their “IT Butler” they, via their network service provider, had re-directed all SMTP port 25 traffic to the service provider’s open relay SMTP server.

I discovered this because Thunderbird was giving me pop-up errors about failure to authenticate. I run my own secure mail server so I spent about an hour logged in via ssh testing the various email functionality. All seemed to be fine. Strange, still getting authentication errors. So then I tried telneting to port 25 on my server via the hotel network. Aha! That’s not my server.

After I picked myself up off the floor. A feeling of dread came over me. Dread because I knew I was going to have to explain what was happening to someone who has no clue. Namely the dreaded IT Support. So I call the “IT Help Desk”:

Them: IT help desk. How can we help?
Me: Your network is re-directing SMTP traffic.
Them: What?
Me: Email is not working.
Them: Your email software must be setup wrong. What computer are you using?
Me: A Mac.
Them: Oh, a Mac…
Me: My setting are right. It’s your network that is wrong.
Them: We’re sending someone to your room to check your settings.
Me: Please send someone who knows about networks.
Them: Of course sir.

I get a phone call five minutes later. “Sir, this is IT support you have the do not disturb sign on your door. I didn’t want to knock and disturb you.” It’s a really great hotel. Anyway the “expert” arrives. You know you’re getting old when the IT support people start looking like they’re on school vacation. He’s got a PC under his arm.

Him: What seems to be the problem?
Me: Your network is re-directing SMTP traffic.
Him: Eh?
Me: Look here if I telnet…
Him: You need to set up a SMTP server.
Me: I have an SMTP server set. It’s not connecting. It’s re-directing.
Him: What software are you using?
Me: Thunderbird.
Him: Oh, Thunderbird on a Mac…

Half an hour later and one tutorial on networks later he finally gets the idea of re-direction. Of course, he can’t do anything because they buy this service from a local ISP. But he can call the ISP support people. Eventually I convince him to let me talk to the ISP directly.

Me: You’re re-directing SMTP traffic.
ISP: Yes we are.
Me: Why?
ISP: Too many people called IT Support with problems sending email.
Me: Please turn it off.
ISP: OK.

Grrr. OK so now I can send email. This is all happening in the early hours of the morning. When I wake up they’ve turned re-direction back on. I call they turn it off. We go out for the day. When we get back they’ve turned it back on… This goes on every day of our stay.

I wrote a letter to the hotel management explaining what’s happening with their network. The management, of course, had no idea what was going on. But they’ve discussed with the IT department and they assure them that this is the best solution to their guests email problems. The IT department is obviously work shy.

There are so many things wrong with this practice…

There was no warning: to get on to the network you have to agree to pay and to something like a EULA. There was no: “Oh, by the way, we’re going to re-direct all your email somewhere...”

It defeats the purpose of having support: this moves the support calls away from those that need support to those that do not. Frustrating both groups.

It is a security risk: you think your email it heading somewhere but in fact the ISP has it on their servers. Which you have no idea about in security (or any) terms. This alone surely has legal/liability implications for the hotel since guests are blind to what is happening.

The ISPs server was an open relay. Great for spammers.

It turns out that most of the calls to IT support in the hotel are from people unable to send email. That is, they brought their laptop from home or from the office and it doesn’t work. So that means that they can’t access the SMTP server that is configured in their email client. Why would that be? Either it is a business server not accessible from outside the corporate network - in which case this is correct behaviour and you need to use the corporate VPN. Or their home ISP does some IP address verification or something that refuses connection from their remote hotel IP. Of course, if the ISP used proper authentication (it’s not hard folks) they could stop the IP verification.

The answer to this problem (and many others) is to isolate yourself from the hosting network with a VPN.

Another tip: take an Airport Express with you when you travel. It has built-in NAT giving you peace of mind. And it is wireless so you can work lying on the bed rather than sitting at the poorly designed uncomfortable desk/chair combination that inhabits every hotel room.

A week later I get an email from the hotel MD telling me that the above practice has been stopped.