Worries About Port 25 Open on New SBS 2011

Hi,

We have just set up a new SBS2011 server that gets its email via SMTP. Its the first one ive done that receives mail directly, normally I prefer to collect with POP3.

My worry is that to allow mail to connect to port 25 I have to set the receive connector in exchange to accept mail from IP's 0.0.0.0-255.255.255.255, so basically anyone can connect to it.

1. Whats to stop someone doing a port scan and then abusing the open port 25?
2. By default is the server protected against relaying?
3. Should there be anyhting else I should be checking?

Thank you for your time
ANdy
LVL 1
AndyPandaXAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KimputerCommented:
You have set it up correctly, it's the only way a public mail server can receive all emails. By default, newer SMTP servers don't allow relaying (unlike the default settings about 10 years ago, which strangely allowed relaying).
0
Cliff GaliherCommented:
1) Nothing stops a person from port scanning and attempting to connect via port 25. "Abusing" is a rather arbitrary term and could mean different things to different people.

2) Yes, if you followed SBS guidance, installation, and wizards, you are locked down from relaying by default.

3) Always stay up to date on service packs, update rollups, and security updates. Exchange service packs are NOT on windows update or WSUS, so you have to apply those manually.
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Preferring POP3 over SMTP is a bit like preferring a pencil instead of a computer.  For a business, you don't really want to use POP3, ever.

That being said, your concern about protecting the network is somewhat valid -- having a proper firewall (ie, business-class such as a SonicWall) will help to protect things.  But if you are really concerned, you might consider using a third-party email filtering service such as Exchange Defender.

These services will act as the MX endpoint for your email domain and then your Exchange Server's connector will be configured to ONLY connect and accept email from the service.
0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

AndyPandaXAuthor Commented:
Jeffrey,

Why do you say dont use POP3 over SMTP for inbound email? Its all we have ever used and found it to be the much preferred way. I am open to reasons why you think its a no no.

Andy
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
POP3 is not Business Class Email.  You have absolutely NO control over the integrity of user's mailboxes.  Additionally there is generally NO security to protect the messages -- ie they travel across the Internet in plain text without encryption.

SMTP is much faster than POP3 as there are no "pull" delays -- delivery is relatively instant.

Furthermore, you don't have control of the POP3 server.  You cannot tell if that server is compromised or there is unauthorized access to it.  You generally cannot control the SPAM filtering (if there even is any).  

Nor can you control user access -- meaning users could pull messages directly from the server bypassing your new Exchange Server.  This means that messages could be deleted without any recourse (Exchange provides for deleted item recovery and archiving).

These are just a few of the main advantages.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Could I ask why you only gave a "B" grade for this answer?  What more did you need to know that wasn't provided in my response?  Because you didn't make any additional comments after mine, there would be no way to know that the information wasn't sufficient.

Please explain.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.