Should you turn off your network's outbound SMTP (port 25)?

Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange or Outlook tip, timesaver or workaround to share? Submit it to SearchExchange.com. If we publish it, we'll send you a nifty thank you gift.

If you have an Exchange server that's allowed to open outbound SMTP connections in your network, should you block port 25 everywhere else in your network, since it's not really needed? The short answer is yes, and here are some good justifications:

1. There is no good reason for any desktop machine in an organization with a messaging server (i.e., Exchange Server) to have outbound port 25 available. The only conceivable reason would be to allow someone to access a remote SMTP server that they send mail on behalf of. But why would you want to allow this to happen from your own network, which ought to have its own perfectly good mail relay? If you have good authentication procedures set up for Exchange Server, anyone who needs to send mail already can, and anyone who shouldn't won't be able to.

2. Many worms, such as the infamous Sober worm, have their own miniature outbound SMTP engine. They don't need a working mail relay to infect another computer; they can do so directly from any machine that has outbound port 25 available.

3. Most ISPs now routinely block port 25 on basic dial-up and broadband accounts. This has proven to be a good way to prevent such networks from becoming havens for spam. (The other big innovation before this was discarding outgoing packets branded with spoofed addresses that didn't belong in that address pool, which helped cut down on untraceable attacks of all kinds.)

I admit to being personally inconvenienced by having port 25 blocked on my personal network. I remotely administer a domain name that has ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Exchange Security Tips How to install Forefront Security for Exchange Server Is full email encryption the solution to Exchange security? Lock down direct file access and protect OWA users Controlling spam in Exchange 2007 at the edge transport server level When to use a self-signed certificate with Exchange Server 2007 Obtaining and verifying SSL certificates in Exchange Server How file-level antivirus software can harm your Exchange Server Understanding Exchange Server 2007 SP1 mobile security settings Which ActiveSync authentication method is best for your mobile device? Why you should secure Exchange 2007 using administrative policies Spam and virus protection How to install Forefront Security for Exchange Server Block Web beacons and protect OWA users from spam Controlling spam in Exchange 2007 at the edge transport server level How file-level antivirus software can harm your Exchange Server Problems with email spoofing on SBS 2003 Exchange Insider e-zine Securing your Exchange Server 2007 journaling archives Troubleshooting Outlook Web Access issues on a 64-bit system Microsoft Exchange Server security dos and don'ts Troubleshooting Microsoft Exchange Server Event ID error 6009 Spam and virus protection Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary backscatter spam  (SearchExchange.com) greylist  (SearchExchange.com) image spam  (SearchExchange.com) KnujOn  (SearchExchange.com) Sender ID  (SearchExchange.com) spam confidence level  (SearchExchange.com) spamblock  (SearchExchange.com) spim  (SearchExchange.com) tarpitting  (SearchExchange.com) Vouch by Reference (VBR)  (SearchExchange.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

its own SMTP sender, so I can send mail on behalf of that domain name.

After this restriction went into place, the only way I could send e-mail was through my ISP, and only by using the e-mail address my ISP provided. (If I tried to send e-mail with a @mydomain.com address through its mail relay, it would reject it and insist that I could only send e-mails with a @myisp.com address.)

Since they wanted to charge me extra for the privilege of being able to use port 25, I surrendered and just started using the @myisp.com address for the sake of simplicity. I don't like it, but if it means my ISP is no longer playing host to spammers and Sober-style worms, I can live with it.

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter.

I absolutely agree and recently implemented this on my network. I wish all SMTP traffic was from legitimate, registered e-mail servers.
—John A.

Do you have comments on this tip? Let us know.

Related information from SearchExchange.com:

Learning Guide: How to fight spam on Exchange Server

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.