Solved

Worries About Port 25 Open on New SBS 2011

Posted on 2014-03-25
6
272 Views
Last Modified: 2014-04-18
Hi,

We have just set up a new SBS2011 server that gets its email via SMTP. Its the first one ive done that receives mail directly, normally I prefer to collect with POP3.

My worry is that to allow mail to connect to port 25 I have to set the receive connector in exchange to accept mail from IP's 0.0.0.0-255.255.255.255, so basically anyone can connect to it.

1. Whats to stop someone doing a port scan and then abusing the open port 25?
2. By default is the server protected against relaying?
3. Should there be anyhting else I should be checking?

Thank you for your time
ANdy
0
Comment
Question by:AndyPandaX
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 35

Expert Comment

by:Kimputer
ID: 39954550
You have set it up correctly, it's the only way a public mail server can receive all emails. By default, newer SMTP servers don't allow relaying (unlike the default settings about 10 years ago, which strangely allowed relaying).
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 39954551
1) Nothing stops a person from port scanning and attempting to connect via port 25. "Abusing" is a rather arbitrary term and could mean different things to different people.

2) Yes, if you followed SBS guidance, installation, and wizards, you are locked down from relaying by default.

3) Always stay up to date on service packs, update rollups, and security updates. Exchange service packs are NOT on windows update or WSUS, so you have to apply those manually.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 39971154
Preferring POP3 over SMTP is a bit like preferring a pencil instead of a computer.  For a business, you don't really want to use POP3, ever.

That being said, your concern about protecting the network is somewhat valid -- having a proper firewall (ie, business-class such as a SonicWall) will help to protect things.  But if you are really concerned, you might consider using a third-party email filtering service such as Exchange Defender.

These services will act as the MX endpoint for your email domain and then your Exchange Server's connector will be configured to ONLY connect and accept email from the service.
0
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

 
LVL 1

Author Comment

by:AndyPandaX
ID: 39988073
Jeffrey,

Why do you say dont use POP3 over SMTP for inbound email? Its all we have ever used and found it to be the much preferred way. I am open to reasons why you think its a no no.

Andy
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 295 total points
ID: 39989906
POP3 is not Business Class Email.  You have absolutely NO control over the integrity of user's mailboxes.  Additionally there is generally NO security to protect the messages -- ie they travel across the Internet in plain text without encryption.

SMTP is much faster than POP3 as there are no "pull" delays -- delivery is relatively instant.

Furthermore, you don't have control of the POP3 server.  You cannot tell if that server is compromised or there is unauthorized access to it.  You generally cannot control the SPAM filtering (if there even is any).  

Nor can you control user access -- meaning users could pull messages directly from the server bypassing your new Exchange Server.  This means that messages could be deleted without any recourse (Exchange provides for deleted item recovery and archiving).

These are just a few of the main advantages.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 40008489
Could I ask why you only gave a "B" grade for this answer?  What more did you need to know that wasn't provided in my response?  Because you didn't make any additional comments after mine, there would be no way to know that the information wasn't sufficient.

Please explain.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question