Solved

Worries About Port 25 Open on New SBS 2011

Posted on 2014-03-25
6
252 Views
Last Modified: 2014-04-18
Hi,

We have just set up a new SBS2011 server that gets its email via SMTP. Its the first one ive done that receives mail directly, normally I prefer to collect with POP3.

My worry is that to allow mail to connect to port 25 I have to set the receive connector in exchange to accept mail from IP's 0.0.0.0-255.255.255.255, so basically anyone can connect to it.

1. Whats to stop someone doing a port scan and then abusing the open port 25?
2. By default is the server protected against relaying?
3. Should there be anyhting else I should be checking?

Thank you for your time
ANdy
0
Comment
Question by:AndyPandaX
6 Comments
 
LVL 35

Expert Comment

by:Kimputer
ID: 39954550
You have set it up correctly, it's the only way a public mail server can receive all emails. By default, newer SMTP servers don't allow relaying (unlike the default settings about 10 years ago, which strangely allowed relaying).
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 39954551
1) Nothing stops a person from port scanning and attempting to connect via port 25. "Abusing" is a rather arbitrary term and could mean different things to different people.

2) Yes, if you followed SBS guidance, installation, and wizards, you are locked down from relaying by default.

3) Always stay up to date on service packs, update rollups, and security updates. Exchange service packs are NOT on windows update or WSUS, so you have to apply those manually.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 39971154
Preferring POP3 over SMTP is a bit like preferring a pencil instead of a computer.  For a business, you don't really want to use POP3, ever.

That being said, your concern about protecting the network is somewhat valid -- having a proper firewall (ie, business-class such as a SonicWall) will help to protect things.  But if you are really concerned, you might consider using a third-party email filtering service such as Exchange Defender.

These services will act as the MX endpoint for your email domain and then your Exchange Server's connector will be configured to ONLY connect and accept email from the service.
0
How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

 
LVL 1

Author Comment

by:AndyPandaX
ID: 39988073
Jeffrey,

Why do you say dont use POP3 over SMTP for inbound email? Its all we have ever used and found it to be the much preferred way. I am open to reasons why you think its a no no.

Andy
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 295 total points
ID: 39989906
POP3 is not Business Class Email.  You have absolutely NO control over the integrity of user's mailboxes.  Additionally there is generally NO security to protect the messages -- ie they travel across the Internet in plain text without encryption.

SMTP is much faster than POP3 as there are no "pull" delays -- delivery is relatively instant.

Furthermore, you don't have control of the POP3 server.  You cannot tell if that server is compromised or there is unauthorized access to it.  You generally cannot control the SPAM filtering (if there even is any).  

Nor can you control user access -- meaning users could pull messages directly from the server bypassing your new Exchange Server.  This means that messages could be deleted without any recourse (Exchange provides for deleted item recovery and archiving).

These are just a few of the main advantages.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 40008489
Could I ask why you only gave a "B" grade for this answer?  What more did you need to know that wasn't provided in my response?  Because you didn't make any additional comments after mine, there would be no way to know that the information wasn't sufficient.

Please explain.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now