Should you turn off your network's outbound SMTP (port 25)?

Should you turn off your network's outbound SMTP (port 25)?

Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange or Outlook tip, timesaver or workaround to share? Submit it to SearchExchange.com. If we publish it, we'll send you a nifty thank you gift.

VIEW MEMBER FEEDACK TO THIS TIP

If you have an Exchange server that's allowed to open outbound SMTP connections in your network, should you block port 25 everywhere else in your network, since it's not really needed? The short answer is yes, and here are some good justifications:

  1. There is no good reason for any desktop machine in an organization with a messaging server

    Requires Free Membership to View

    Login

    When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by Exchange professionals today working with Exchange, Outlook and other related technologies.

    Margie Semilof, Editorial Director

    By submitting your registration information to SearchExchange.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchExchange.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Premium Access

Register now for unlimited access to our premium content across our network of over 70 information Technology web sites.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in March 2006

  1. (i.e., Exchange Server) to have outbound port 25 available. The only conceivable reason would be to allow someone to access a remote SMTP server that they send mail on behalf of. But why would you want to allow this to happen from your own network, which ought to have its own perfectly good mail relay? If you have good authentication procedures set up for Exchange Server, anyone who needs to send mail already can, and anyone who shouldn't won't be able to.

  2. Many worms, such as the infamous Sober worm, have their own miniature outbound SMTP engine. They don't need a working mail relay to infect another computer; they can do so directly from any machine that has outbound port 25 available.

  3. Most ISPs now routinely block port 25 on basic dial-up and broadband accounts. This has proven to be a good way to prevent such networks from becoming havens for spam. (The other big innovation before this was discarding outgoing packets branded with spoofed addresses that didn't belong in that address pool, which helped cut down on untraceable attacks of all kinds.)

I admit to being personally inconvenienced by having port 25 blocked on my personal network. I remotely administer a domain name that has its own SMTP sender, so I can send mail on behalf of that domain name.

After this restriction went into place, the only way I could send e-mail was through my ISP, and only by using the e-mail address my ISP provided. (If I tried to send e-mail with a @mydomain.com address through its mail relay, it would reject it and insist that I could only send e-mails with a @myisp.com address.)

Since they wanted to charge me extra for the privilege of being able to use port 25, I surrendered and just started using the @myisp.com address for the sake of simplicity. I don't like it, but if it means my ISP is no longer playing host to spammers and Sober-style worms, I can live with it.

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter.

MEMBER FEEDBACK TO THIS TIP

I absolutely agree and recently implemented this on my network. I wish all SMTP traffic was from legitimate, registered e-mail servers.
—John A.

Do you have comments on this tip? Let us know.

Related information from SearchExchange.com:

  • Tip: Many ISPs now blocking port 25
  • Ask the Expert: Testing IP restrictions on port 25
  • The spamfighter's toolbox
  • On-Demand Webcast: Locking down Exchange Server
  • Learning Guide: How to fight spam on Exchange Server

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top