Worries About Port 25 Open on New SBS 2011

Hi,

We have just set up a new SBS2011 server that gets its email via SMTP. Its the first one ive done that receives mail directly, normally I prefer to collect with POP3.

My worry is that to allow mail to connect to port 25 I have to set the receive connector in exchange to accept mail from IP's 0.0.0.0-255.255.255.255, so basically anyone can connect to it.

1. Whats to stop someone doing a port scan and then abusing the open port 25?
2. By default is the server protected against relaying?
3. Should there be anyhting else I should be checking?

Thank you for your time
ANdy
LVL 1
AndyPandaXAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KimputerCommented:
You have set it up correctly, it's the only way a public mail server can receive all emails. By default, newer SMTP servers don't allow relaying (unlike the default settings about 10 years ago, which strangely allowed relaying).
0
Cliff GaliherCommented:
1) Nothing stops a person from port scanning and attempting to connect via port 25. "Abusing" is a rather arbitrary term and could mean different things to different people.

2) Yes, if you followed SBS guidance, installation, and wizards, you are locked down from relaying by default.

3) Always stay up to date on service packs, update rollups, and security updates. Exchange service packs are NOT on windows update or WSUS, so you have to apply those manually.
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Preferring POP3 over SMTP is a bit like preferring a pencil instead of a computer.  For a business, you don't really want to use POP3, ever.

That being said, your concern about protecting the network is somewhat valid -- having a proper firewall (ie, business-class such as a SonicWall) will help to protect things.  But if you are really concerned, you might consider using a third-party email filtering service such as Exchange Defender.

These services will act as the MX endpoint for your email domain and then your Exchange Server's connector will be configured to ONLY connect and accept email from the service.
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

AndyPandaXAuthor Commented:
Jeffrey,

Why do you say dont use POP3 over SMTP for inbound email? Its all we have ever used and found it to be the much preferred way. I am open to reasons why you think its a no no.

Andy
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
POP3 is not Business Class Email.  You have absolutely NO control over the integrity of user's mailboxes.  Additionally there is generally NO security to protect the messages -- ie they travel across the Internet in plain text without encryption.

SMTP is much faster than POP3 as there are no "pull" delays -- delivery is relatively instant.

Furthermore, you don't have control of the POP3 server.  You cannot tell if that server is compromised or there is unauthorized access to it.  You generally cannot control the SPAM filtering (if there even is any).  

Nor can you control user access -- meaning users could pull messages directly from the server bypassing your new Exchange Server.  This means that messages could be deleted without any recourse (Exchange provides for deleted item recovery and archiving).

These are just a few of the main advantages.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Could I ask why you only gave a "B" grade for this answer?  What more did you need to know that wasn't provided in my response?  Because you didn't make any additional comments after mine, there would be no way to know that the information wasn't sufficient.

Please explain.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.