block SMTP port 25 from the server and change it to 587
Question asked by Mahesh Chavan - May 20, 2015 at 4:23 AM
Unanswered
i have added two ports for smtp 25 & 587. i don't want to send emails from port 25. when i block the port 25 in smartermail  and windows firewall, we stop receiving emails on the server.
 
please suggest.

3 Replies

Reply to Thread
3
Per IETF specifications, port 25 is the ONLY port which can be used for two mail servers to communicate.
 
Port 25 MUST remain open or you will not be able to send or receive e-mail outside your mail server.
 
Port 25 cannot be disabled or closed for any reason.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
If you have a Gateway Server (for both Incoming and Outgoing) that your MX Records point to, then you can disable Port 25 on your primary Smartermail Server so long as no MX Records point to it.
 
To do this on your primary Smartermail Server (assuming you already enabled your Submission Port 587) you would go to SECURITY > BLACKLIST and add the range of IP addresses you do not want to accept Port 25 connections from (for example if your Gateway Server is 192.168.1.15 then you would blacklist 0.0.0.0 - 192.168.1.14 and 192.168.1.16 - 255.255.255.255) for SMTP only. This way all SMTP traffic from port 25 will be blocked with the exception of your Gateway Server which will still use Port 25 to connect to other Mail Servers (including your Primary).
0
What you need to do is set an outbound rule on your firewall to allow TCP port 25 ONLY from your mail server IP address; DENY TCP port 25 from ALL other IP addresses on your internal network. As a result any infected computer on your network will be unable to spam the rest of the world and cause your IP to be blacklisted.

The allow rule for your mail server must be on top of the deny rule as rules are processed from the top down. When a packet reaches your firewall it will be checked against the first rule and the port and IP addresses will be checked, if it is from your mail server it will be passed out, if it does not match it will be passed to the next rule which will be the deny rule for port 25 and will be blocked/dropped.

Hope this helps.

Reply to Thread