none
Allow exchange | mail flow in and out of the firewall

    Question

  • Hi all,

    I am getting myself a little confused here..

    I have an exchange server and i have a firewall (the make and model is not relevant but its an ASA)

    I understand that the firewall needs to allow port 25 | SMTP outbound.

    However... What ports do i need to allow inbound on the firewall? Assuming the MX record points directly to the public IP address of the exchange server and NOT some other third party mail service such as Mimecast or Trend Hosted Email Security.

    My understanding is that if i use a third party such as Mimecast or Trend Hosted Email Security i can lock down the firewall and allow only the Mimecast or Trend public IP addresses inbound connections to my exchange server.

    To summarise, what ports do i need to enable inbound on my firewall for exchange to be able to receive mail?

    Thanks in advance.

    Thursday, September 29, 2016 11:16 AM

Answers

  • Hi all,

    I am getting myself a little confused here..

    I have an exchange server and i have a firewall (the make and model is not relevant but its an ASA)

    I understand that the firewall needs to allow port 25 | SMTP outbound.

    However... What ports do i need to allow inbound on the firewall? Assuming the MX record points directly to the public IP address of the exchange server and NOT some other third party mail service such as Mimecast or Trend Hosted Email Security.

    My understanding is that if i use a third party such as Mimecast or Trend Hosted Email Security i can lock down the firewall and allow only the Mimecast or Trend public IP addresses inbound connections to my exchange server.

    To summarise, what ports do i need to enable inbound on my firewall for exchange to be able to receive mail?

    Thanks in advance.

    port 25.

    Blog:    Twitter:   

    Thursday, September 29, 2016 11:39 AM
  • ok so i need to allow port 25 in and out?

    What about locking down to specific IP addresses inbound? I am over thinking this i am sure...

    If the MX is pointing to the pubic IP address of the exchange server how is it possible to lock down port 25 to a specific range of IP addresses?


    You don't want to lockdown specific IPs to the Exchange server unless you are using a SMTP gateway infront of Exchange that accepts mail from the internet. Then you can lock down the IP to that gateway. Port 25 both in and out.

    Blog:    Twitter:   


    Thursday, September 29, 2016 9:10 PM
  • Hi hyperNoddy,

    Maybe the following article could give your some hints:

    Network ports for clients and mail flow in Exchange 2013

    Best Regards,


    Niko Cheng
    TechNet Community Support


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 30, 2016 8:37 AM
    Moderator

All replies

  • Hi all,

    I am getting myself a little confused here..

    I have an exchange server and i have a firewall (the make and model is not relevant but its an ASA)

    I understand that the firewall needs to allow port 25 | SMTP outbound.

    However... What ports do i need to allow inbound on the firewall? Assuming the MX record points directly to the public IP address of the exchange server and NOT some other third party mail service such as Mimecast or Trend Hosted Email Security.

    My understanding is that if i use a third party such as Mimecast or Trend Hosted Email Security i can lock down the firewall and allow only the Mimecast or Trend public IP addresses inbound connections to my exchange server.

    To summarise, what ports do i need to enable inbound on my firewall for exchange to be able to receive mail?

    Thanks in advance.

    port 25.

    Blog:    Twitter:   

    Thursday, September 29, 2016 11:39 AM
  • ok so i need to allow port 25 in and out?

    What about locking down to specific IP addresses inbound? I am over thinking this i am sure...

    If the MX is pointing to the pubic IP address of the exchange server how is it possible to lock down port 25 to a specific range of IP addresses?

    Thursday, September 29, 2016 8:05 PM
  • ok so i need to allow port 25 in and out?

    What about locking down to specific IP addresses inbound? I am over thinking this i am sure...

    If the MX is pointing to the pubic IP address of the exchange server how is it possible to lock down port 25 to a specific range of IP addresses?


    You don't want to lockdown specific IPs to the Exchange server unless you are using a SMTP gateway infront of Exchange that accepts mail from the internet. Then you can lock down the IP to that gateway. Port 25 both in and out.

    Blog:    Twitter:   


    Thursday, September 29, 2016 9:10 PM
  • thank you, that is exactly what i thought but just could not agree with myself!

    i also knew it was port 25 outbound but i had in my head in was another port inbound for some reason.

    Friday, September 30, 2016 4:29 AM
  • Hi hyperNoddy,

    Maybe the following article could give your some hints:

    Network ports for clients and mail flow in Exchange 2013

    Best Regards,


    Niko Cheng
    TechNet Community Support


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 30, 2016 8:37 AM
    Moderator