How to enable SMTP logging in Exchange Server 2013/2016/2019? We want to check the send…
Limit access to/from port 25 on Exchange Server
Port 25 is the default port for incoming and outgoing mail flow. But, it doesn’t mean you need to allow port 25 for incoming and outgoing mail to everyone (all). Instead, Exchange Server port 25 should be only accessible from and to the cloud spam filter for optimal security. In this article, you will learn how to limit access to and from port 25 on Exchange Server.
Table of contents
Spam filter
If you don’t have a third-party spam filter in the organization, you are asking for trouble. I recommend the SpamBull cloud spam filter as a third-party spam filter. It’s simple and easy to manage. If you have Microsoft Exchange Online Protection (EOP) as a hygiene solution, that’s okay.
Important: Always use a hygiene solution to filter incoming and outgoing mail.
Limit access to and from port 25 on Exchange Server
There are two organization configuration possibilities. That’s one of the below setups:
- Exchange On-Premises
- Exchange Hybrid
Let’s look at the best practices for configuring the firewall port 25 on Exchange Server.
Note: Some firewalls do not work when adding the third-party spam filter or Exchange Online endpoints hostname(s), and you must enter their public IP addresses.
Exchange On-Premises
Mailboxes are on-premises. You route all mailboxes through the third-party spam filter.
| Purpose | Port | Source | Destination |
|---|---|---|---|
| Inbound mail | 25 | Third-party spam filter | Exchange Server |
| Outbound mail | 25 | Exchange Server | Third-party spam filter |
Port 25 is only reachable between the third-party spam filter and Exchange Server. Nothing else can contact port 25 from inbound/outbound.
Exchange Hybrid
Mailboxes are on-premises, in the cloud, or in both places. You route all mailboxes through EOP (Microsoft).
| Purpose | Port | Source | Destination |
|---|---|---|---|
| Inbound mail | 25 | Exchange Online endpoints | Exchange Server |
| Outbound mail | 25 | Exchange Server | Exchange Online endpoints |
Port 25 is only reachable between the Exchange Online endpoints and Exchange Server. Nothing else can contact port 25 from inbound/outbound.
Mailboxes are on-premises, in the cloud, or in both places. You route all mailboxes through the third-party spam filter.
| Purpose | Port | Source | Destination |
|---|---|---|---|
| Inbound mail | 25 | Third-party spam filter | Exchange Server |
| Outbound mail | 25 | Exchange Server | Third-party spam filter |
Port 25 is only reachable between the third-party spam filter and Exchange Server. Nothing else can contact port 25 from inbound/outbound.
Read more: Stop Exchange Server sending spam »
Conclusion
You learned how to limit firewall access to port 25 on Exchange Server. Always double-check the organization and ensure that port 25 is only reachable between Exchange Server and the third-party spam filter or Exchange Online Protection (EOP).
Did you enjoy this article? You may also like How attackers bypass third-party spam filtering. Don’t forget to follow us and share this article.
What Others Are Reading
Is there any way to find/view a list of IP addresses which EOP uses, so i can enable only traffic on port 25 from that list of IP addresses on my firewall (something like CSV file). The list of IP addresses and URL-s on “Exchange Online endpoints” is huge, an I tells everything except what it need to say.
Just a simple list of IP-s for EOP would be perfect?
Exchange Online port 25 URLs:
*.mail.protection.outlook.com
*.mx.microsoft
Exchange Online port 25 IPs:
40.92.0.0/15
40.107.0.0/16
52.100.0.0/14
104.47.0.0/17
2a01:111:f400::/48
2a01:111:f403::/48