none
SMTP Port - Security Issues RRS feed

  • Question

  • Dear Team,

    I want to discuss on a problem related to smtp port 25. We have a requirement that from any internal network addresses other than allowed in the Relay connector in Exchange, should not be able access port 25 and send emails. Only from relayed servers, it should be allowed.

    How can we provide a permanent fix or a solution? Is there an option other than blocking the port 25 for the said internal networks?

    Monday, October 21, 2019 3:54 PM

All replies

  • You will want to ensure that only mail servers that will send messages over SMTP over port 25 to other servers on the Internet are allowed to do so. You also want to prevent other SMTP ports (465 and 587) from exiting the network. Those ports should only be allowed to communicate with Exchange inside your network (unless you're working with Hybrid, in which case you can allow it to O365).

    The reasoning here is that spam bot trojans can only function over port 25 because that is what all servers use to transmit email. If you allow port 25 out for anything other than the mail server, those bots will function and result in your mail IPs getting blacklisted for spam.

    As to whether there is another method for mitigating this issue? Not really. Blocking port 25 is a very simple, low-cost solution that completely eliminates the risk associated with spam generating trojans. You may consider configuring your firewall to allow port 25 but send an alert to administrative staff when an email traverses the firewall from an IP other than your mail servers, but this would be a reactive solution that doesn't eliminate the problem.

    Monday, October 21, 2019 4:46 PM
  • Hello Adam,

    Thanks for your time on replying back to my post.

    We do not have a hybrid setup. Requirement is, only from the relay allowed application servers, smtp port 25 should work. It should not work from any other servers or pcs. Is there any Microsoft document or url which says other than blocking the port 25, there are no other options to be configured in the Exchange Server ?

    I couldn't find any TechNet article which says so. It would be great if you can share any such thing.

    Thank you

    SJ

    Monday, October 21, 2019 7:20 PM
  • Hi,

    Default Frontend receiver connector doesn't allow relay by default. If you want to enable relay, you need to add "Ms-Exch-SMTP-Accept-Any-Recipient" extended rights to it first.

    We don't suggest you edit default receiver connector, if you want to relay email from your Exchange server, the best practice is create an another receiver connector(For this connector, you can modify it's Remote network settings attributes to make it only listening request from specific IP address rather than 0.0.0.0~255.255.255.255, in this way, only external user from specific IP could use your Exchange server relay emails)

    Regards,

    Kyle Xu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, October 22, 2019 5:56 AM
    Moderator
  • Hi,

    I am writing here to confirm with you how thing going now?

    If the above suggestion helps, please be free to mark it as an answer for helping more people.

    Regards,

    Kyle Xu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, October 28, 2019 8:27 AM
    Moderator