Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange or Outlook tip, timesaver or workaround to share? Submit it to SearchExchange.com. If we publish it, we'll send you a nifty thank you gift.
VIEW MEMBER FEEDACK TO THIS TIP
If you have an Exchange server that's allowed to open outbound SMTP connections in your network, should you block port 25 everywhere else in your network, since it's not really needed? The short answer is yes, and here are some good justifications:
- There is no good reason for any desktop machine in an organization with a messaging server (i.e., Exchange Server) to have outbound port 25 available.
The only conceivable reason would be to allow someone to access a remote SMTP server that they send mail on behalf of. But why would you want to allow this to happen from your own network, which ought to have its own perfectly good mail relay? If you have good authentication procedures set up for Exchange Server, anyone who needs to send mail already can, and anyone who shouldn't won't be able to.
- Many worms, such as the infamous Sober worm, have their own miniature outbound SMTP engine. They don't need a working mail relay to infect another computer; they can do so directly from any machine that has outbound port 25 available.
- Most ISPs now routinely block port 25 on basic dial-up and broadband accounts. This has proven to be a good way to prevent such networks from becoming havens for spam. (The other big innovation before this was discarding outgoing packets branded with spoofed addresses that didn't belong in that address pool, which helped cut down on untraceable attacks of all kinds.)
I admit to being personally inconvenienced by having port 25 blocked on my personal network. I remotely administer a domain name that has its own SMTP sender, so I can send mail on behalf of that domain name.
After this restriction went into place, the only way I could send e-mail was through my ISP, and only by using the e-mail address my ISP provided. (If I tried to send e-mail with a @mydomain.com address through its mail relay, it would reject it and insist that I could only send e-mails with a @myisp.com address.)
Since they wanted to charge me extra for the privilege of being able to use port 25, I surrendered and just started using the @myisp.com address for the sake of simplicity. I don't like it, but if it means my ISP is no longer playing host to spammers and Sober-style worms, I can live with it.
About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter.
MEMBER FEEDBACK TO THIS TIP
I absolutely agree and recently implemented this on my network. I wish all SMTP traffic was from legitimate, registered e-mail servers.
—John A.
Do you have comments on this tip? Let us know.
Related information from SearchExchange.com:
Tip: Many ISPs now blocking port 25
Ask the Expert: Testing IP restrictions on port 25
The spamfighter's toolbox
On-Demand Webcast: Locking down Exchange Server
Learning Guide: How to fight spam on Exchange Server
