skip to Main Content

Limit access to/from port 25 on Exchange Server

Port 25 is the default port for incoming and outgoing mail flow. But, it doesn’t mean you need to allow port 25 for incoming and outgoing mail to everyone (all). Instead, Exchange Server port 25 should be only accessible from and to the cloud spam filter for optimal security. In this article, you will learn how to limit access to and from port 25 on Exchange Server.

Spam filter

If you don’t have a third-party spam filter in the organization, you are asking for trouble. I recommend the SpamBull cloud spam filter as a third-party spam filter. It’s simple and easy to manage. If you have Microsoft Exchange Online Protection (EOP) as a hygiene solution, that’s okay.

Important: Always use a hygiene solution to filter incoming and outgoing mail.

Limit access to and from port 25 on Exchange Server

There are two organization configuration possibilities. That’s one of the below setups:

  • Exchange On-Premises
  • Exchange Hybrid

Let’s look at the best practices for configuring the firewall port 25 on Exchange Server.

Note: Some firewalls do not work when adding the third-party spam filter or Exchange Online endpoints hostname(s), and you must enter their public IP addresses.

Limit access port 25 design

Exchange On-Premises

Mailboxes are on-premises. You route all mailboxes through the third-party spam filter.

PurposePortSourceDestination
Inbound mail25Third-party spam filter192.168.1.52
Outbound mail25192.168.1.52Third-party spam filter

Port 25 is only reachable between the third-party spam filter and Exchange Server. Nothing else can contact port 25 from inbound/outbound.

Exchange Hybrid

Mailboxes are on-premises, in the cloud, or in both places. You route all mailboxes through EOP (Microsoft).

PurposePortSourceDestination
Inbound mail25Exchange Online endpoints192.168.1.52
Outbound mail25192.168.1.52Exchange Online endpoints

Port 25 is only reachable between the Exchange Online endpoints and Exchange Server. Nothing else can contact port 25 from inbound/outbound.

Mailboxes are on-premises, in the cloud, or in both places. You route all mailboxes through the third-party spam filter.

PurposePortSourceDestination
Inbound mail25Third-party spam filter192.168.1.52
Outbound mail25192.168.1.52Third-party spam filter

Port 25 is only reachable between the third-party spam filter and Exchange Server. Nothing else can contact port 25 from inbound/outbound.

Read more: Stop Exchange Server sending spam »

Conclusion

You learned how to limit firewall access to port 25 on Exchange Server. Always double-check the organization and ensure that port 25 is only reachable between Exchange Server and the third-party spam filter or Exchange Online Protection (EOP).

Did you enjoy this article? You may also like How attackers bypass third-party spam filtering. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 0 Comments

Leave a Reply

Your email address will not be published.