block SMTP port 25 from the server and change it to 587
Question asked by Mahesh Chavan - 5/20/2015 at 4:23 AM
Unanswered
i have added two ports for smtp 25 & 587. i don't want to send emails from port 25. when i block the port 25 in smartermail  and windows firewall, we stop receiving emails on the server.
 
please suggest.

17 Replies

Reply to Thread
0
Brian Ellwood Replied
Port 25 accepts emails from and sends email to other mail servers (MX). Port 587 is used by users to authenticate and relay mail through the server.

If you block 25, your mail server will not be able to receive email from any other mail server nor send email to any other mail server.
0
Mahesh Chavan Replied
Thanks for the reply. but many people suggest to block port 25 to stop outgoing spam?
3
Bruce Barnes Replied
Per IETF specifications, port 25 is the ONLY port which can be used for two mail servers to communicate.
 
Port 25 MUST remain open or you will not be able to send or receive e-mail outside your mail server.
 
Port 25 cannot be disabled or closed for any reason.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Brian Ellwood Replied
Blocking outbound port 25 stops all outbound email, period.
0
Scarab Replied
If you have a Gateway Server (for both Incoming and Outgoing) that your MX Records point to, then you can disable Port 25 on your primary Smartermail Server so long as no MX Records point to it.
 
To do this on your primary Smartermail Server (assuming you already enabled your Submission Port 587) you would go to SECURITY > BLACKLIST and add the range of IP addresses you do not want to accept Port 25 connections from (for example if your Gateway Server is 192.168.1.15 then you would blacklist 0.0.0.0 - 192.168.1.14 and 192.168.1.16 - 255.255.255.255) for SMTP only. This way all SMTP traffic from port 25 will be blocked with the exception of your Gateway Server which will still use Port 25 to connect to other Mail Servers (including your Primary).
0
Norbert Williams Replied
What you need to do is set an outbound rule on your firewall to allow TCP port 25 ONLY from your mail server IP address; DENY TCP port 25 from ALL other IP addresses on your internal network. As a result any infected computer on your network will be unable to spam the rest of the world and cause your IP to be blacklisted.

The allow rule for your mail server must be on top of the deny rule as rules are processed from the top down. When a packet reaches your firewall it will be checked against the first rule and the port and IP addresses will be checked, if it is from your mail server it will be passed out, if it does not match it will be passed to the next rule which will be the deny rule for port 25 and will be blocked/dropped.

Hope this helps.
0
Mahesh Chavan Replied
Thanks for the reply can you please give me the screenshot of any sample firewall it will be great.
0
Norbert Williams Replied
What firewall do you use?
0
Mahesh Chavan Replied
windows
0
Norbert Williams Replied
If I understand you correctly you have Smartermail running on your PC? If so, I would highly recommend running a separate firewall.
0
Mahesh Chavan Replied
i have installed smartermail on windows server 2012
0
Norbert Williams Replied
Do you have a separate firewall connected to your modem?
0
Mahesh Chavan Replied
this is a dedicated server
0
Mahesh Chavan Replied
http://postimg.org/image/dftbb0v15/full/
0
Mahesh Chavan Replied
8.8.8.8 assume as local IP
0
Norbert Williams Replied
What firewall device do you have? Is it a Cisco, pFsense, Netgear, ???
0
Norbert Williams Replied
The firewall on your Windows server will do nothing about other computers on your network. You MUST have a SEPARATE firewall to manage your outbound LAN traffic.

Reply to Thread