Guest tdiab Posted February 14, 2009 Posted February 14, 2009 How to disable telnet to port 25 on exchange server? How to secure exchange server? IT Quote
Guest John Mason Jr Posted February 15, 2009 Posted February 15, 2009 tdiab wrote:<span style="color:blue"> > How to disable telnet to port 25 on exchange server? > How to secure exchange server? > IT</span> I hope your exchange server isn't listed as your MX record because if you turn off smtp then how will other servers be able to deliver mail addressed to your domain? In the general case to secure you server look at the OS and other services that are running on the box and try to minimize the attack surface. http://www.google.com/search?q=exchange+se...3Amicrosoft.com http://www.msexchange.org/ http://www.slipstick.com/ http://www.petri.co.il/ http://technet.microsoft.com/en-us/exchange/bb341336.aspx John Quote
Guest Juergen Nieveler Posted February 15, 2009 Posted February 15, 2009 tdiab <acans@sbcglobal.net> wrote: <span style="color:blue"> > How to disable telnet to port 25 on exchange server?</span> Simple. Disable the SMTP server. Caveat: Your users might complain about not receiving any emails anymore - just ignore them, you know better... Juergen Nieveler -- A mistress is something between a mister and a mattress Quote
Guest tdiab Posted February 15, 2009 Posted February 15, 2009 John, I do not want to turn off the smtp service. What I would like to find out how I can disable anyone from the internet to telnet to port 25 using the public ip address for the exchange server which in the MX record? By the way I already turn off the relay on smto in exchange. I know some network with exchange mail server can not telnet to port 25 (possible they may change port 25 for smtp). One more question if change 25 port for smtp to 2525 how the other mail server knows to connect to port 2525 instead of 25? -- IT "John Mason Jr" wrote: <span style="color:blue"> > tdiab wrote:<span style="color:green"> > > How to disable telnet to port 25 on exchange server? > > How to secure exchange server? > > IT</span> > > > I hope your exchange server isn't listed as your MX record because if > you turn off smtp then how will other servers be able to deliver mail > addressed to your domain? > > In the general case to secure you server look at the OS and other > services that are running on the box and try to minimize the attack surface. > > http://www.google.com/search?q=exchange+se...3Amicrosoft.com > > http://www.msexchange.org/ > http://www.slipstick.com/ > http://www.petri.co.il/ > http://technet.microsoft.com/en-us/exchange/bb341336.aspx > > > > John > </span> Quote
Guest Hans Liss Posted February 15, 2009 Posted February 15, 2009 In article <F31DE965-9CD7-4104-8A40-FF5F3C316353@microsoft.com>, tdiab <acans@sbcglobal.net> wrote:<span style="color:blue"> >John, > >I do not want to turn off the smtp service. >What I would like to find out how I can disable anyone from the internet to >telnet to port 25 using the public ip address for the exchange server which >in the MX record?</span> Port 25 is the SMTP port. Telnet is just a program, one of many ways to access a TCP port like port 25. If something (Exchange) listens to the SMTP port on a public address, anyone can connect to that port, unless you set up IP filters to block certain networks from doing so. <span style="color:blue"> >By the way I already turn off the relay on smto in exchange. >I know some network with exchange mail server can not telnet to port 25 >(possible they may change port 25 for smtp).</span> If you have a list of network addresses that should not be allowed to send email to your server, or otherwise access the SMTP port, you can block them out in a router's IP filters (or using filters on your Exchange server). If you have a "whitelist" of a finite number of email servers (like an upstream relay or well known peers) that you want to allow, then you can probably block everything except what's on the list. There is no way of blocking certain programs from accessing your Exchange server. A TCP connection looks the same regardless of who opened it. <span style="color:blue"> >One more question if change 25 port for smtp to 2525 how the other mail >server knows to connect to port 2525 instead of 25?</span> They can't. It sounds like you don't trust Exchange to be exposed to the Internet, in which case you should look into setting up another MTA that you do trust (like a small Linux box running Postfix or whatever you may trust) as a frontend to handle all external traffici - and not expose the Exchange server's SMTP port to the Internet at all. Whatever you do,unless you are content with internal workgroup mail only, you will probably end up with some box exposing port 25 to the Internet, and people will be able to telnet to it. /Hans <span style="color:blue"> >-- >IT > > >"John Mason Jr" wrote: ><span style="color:green"> >> tdiab wrote:<span style="color:darkred"> >> > How to disable telnet to port 25 on exchange server? >> > How to secure exchange server? >> > IT</span> >> >> >> I hope your exchange server isn't listed as your MX record because if >> you turn off smtp then how will other servers be able to deliver mail >> addressed to your domain? >> >> In the general case to secure you server look at the OS and other >> services that are running on the box and try to minimize the attack surface. >> >> http://www.google.com/search?q=exchange+se...3Amicrosoft.com >> >> http://www.msexchange.org/ >> http://www.slipstick.com/ >> http://www.petri.co.il/ >> http://technet.microsoft.com/en-us/exchange/bb341336.aspx >> >> >> >> John >> </span></span> Quote
Guest John Mason Jr Posted February 15, 2009 Posted February 15, 2009 Hans Liss wrote:<span style="color:blue"> > In article <F31DE965-9CD7-4104-8A40-FF5F3C316353@microsoft.com>, > tdiab <acans@sbcglobal.net> wrote:<span style="color:green"> >> John, >> >> I do not want to turn off the smtp service. >> What I would like to find out how I can disable anyone from the internet to >> telnet to port 25 using the public ip address for the exchange server which >> in the MX record?</span> > > Port 25 is the SMTP port. Telnet is just a program, one of many ways to > access a TCP port like port 25. If something (Exchange) listens to the SMTP > port on a public address, anyone can connect to that port, unless you set > up IP filters to block certain networks from doing so. > <span style="color:green"> >> By the way I already turn off the relay on smto in exchange. >> I know some network with exchange mail server can not telnet to port 25 >> (possible they may change port 25 for smtp).</span> > > If you have a list of network addresses that should not be allowed to send > email to your server, or otherwise access the SMTP port, you can block them > out in a router's IP filters (or using filters on your Exchange server). > > If you have a "whitelist" of a finite number of email servers (like an > upstream relay or well known peers) that you want to allow, then you can > probably block everything except what's on the list. > > There is no way of blocking certain programs from accessing your Exchange > server. A TCP connection looks the same regardless of who opened it. > <span style="color:green"> >> One more question if change 25 port for smtp to 2525 how the other mail >> server knows to connect to port 2525 instead of 25?</span> > > They can't. > > It sounds like you don't trust Exchange to be exposed to the Internet, in > which case you should look into setting up another MTA that you do trust > (like a small Linux box running Postfix or whatever you may trust) as a > frontend to handle all external traffici - and not expose the Exchange > server's SMTP port to the Internet at all. > > Whatever you do,unless you are content with internal workgroup mail only, > you will probably end up with some box exposing port 25 to the Internet, > and people will be able to telnet to it. > > /Hans > > <span style="color:green"> >> -- >> IT >> >> >> "John Mason Jr" wrote: >><span style="color:darkred"> >>> tdiab wrote: >>>> How to disable telnet to port 25 on exchange server? >>>> How to secure exchange server? >>>> IT >>> >>> I hope your exchange server isn't listed as your MX record because if >>> you turn off smtp then how will other servers be able to deliver mail >>> addressed to your domain? >>> >>> In the general case to secure you server look at the OS and other >>> services that are running on the box and try to minimize the attack surface. >>> >>> http://www.google.com/search?q=exchange+se...3Amicrosoft.com >>> >>> http://www.msexchange.org/ >>> http://www.slipstick.com/ >>> http://www.petri.co.il/ >>> http://technet.microsoft.com/en-us/exchange/bb341336.aspx >>> >>> >>> >>> John >>></span></span> > > </span> Hans gave you good answers so I won't repeat the same stuff. But I think you really need to think about what you are trying to protect and figure out a way to do that without killing your budget. If you are still running SBS I would really consider either a hosted mail filterung solution that forwards to your server or a linux box/appliance. John John Quote
Guest tdiab Posted February 16, 2009 Posted February 16, 2009 Thanks John & Hans, You answer most of my questions. It sound like there no threat by someone on the internet being able to telent to the exchange public ip address on port 25, since the exchange configured not to be an open relay. Right now Network Solutions hosting our emails, I'm planning to setup sbs2008 next few weeks. Do you think if I kept the emails @ Network Sol server and setup the exchange to pop all the mail box and forward them to the right user, or shell I go ahead and setup the exchange to host the company emails?? Thanks again. -- IT "John Mason Jr" wrote: <span style="color:blue"> > Hans Liss wrote:<span style="color:green"> > > In article <F31DE965-9CD7-4104-8A40-FF5F3C316353@microsoft.com>, > > tdiab <acans@sbcglobal.net> wrote:<span style="color:darkred"> > >> John, > >> > >> I do not want to turn off the smtp service. > >> What I would like to find out how I can disable anyone from the internet to > >> telnet to port 25 using the public ip address for the exchange server which > >> in the MX record?</span> > > > > Port 25 is the SMTP port. Telnet is just a program, one of many ways to > > access a TCP port like port 25. If something (Exchange) listens to the SMTP > > port on a public address, anyone can connect to that port, unless you set > > up IP filters to block certain networks from doing so. > > <span style="color:darkred"> > >> By the way I already turn off the relay on smto in exchange. > >> I know some network with exchange mail server can not telnet to port 25 > >> (possible they may change port 25 for smtp).</span> > > > > If you have a list of network addresses that should not be allowed to send > > email to your server, or otherwise access the SMTP port, you can block them > > out in a router's IP filters (or using filters on your Exchange server). > > > > If you have a "whitelist" of a finite number of email servers (like an > > upstream relay or well known peers) that you want to allow, then you can > > probably block everything except what's on the list. > > > > There is no way of blocking certain programs from accessing your Exchange > > server. A TCP connection looks the same regardless of who opened it. > > <span style="color:darkred"> > >> One more question if change 25 port for smtp to 2525 how the other mail > >> server knows to connect to port 2525 instead of 25?</span> > > > > They can't. > > > > It sounds like you don't trust Exchange to be exposed to the Internet, in > > which case you should look into setting up another MTA that you do trust > > (like a small Linux box running Postfix or whatever you may trust) as a > > frontend to handle all external traffici - and not expose the Exchange > > server's SMTP port to the Internet at all. > > > > Whatever you do,unless you are content with internal workgroup mail only, > > you will probably end up with some box exposing port 25 to the Internet, > > and people will be able to telnet to it. > > > > /Hans > > > > <span style="color:darkred"> > >> -- > >> IT > >> > >> > >> "John Mason Jr" wrote: > >> > >>> tdiab wrote: > >>>> How to disable telnet to port 25 on exchange server? > >>>> How to secure exchange server? > >>>> IT > >>> > >>> I hope your exchange server isn't listed as your MX record because if > >>> you turn off smtp then how will other servers be able to deliver mail > >>> addressed to your domain? > >>> > >>> In the general case to secure you server look at the OS and other > >>> services that are running on the box and try to minimize the attack surface. > >>> > >>> http://www.google.com/search?q=exchange+se...3Amicrosoft.com > >>> > >>> http://www.msexchange.org/ > >>> http://www.slipstick.com/ > >>> http://www.petri.co.il/ > >>> http://technet.microsoft.com/en-us/exchange/bb341336.aspx > >>> > >>> > >>> > >>> John > >>></span> > > > > </span> > Hans gave you good answers so I won't repeat the same stuff. > > But I think you really need to think about what you are trying to > protect and figure out a way to do that without killing your budget. > > If you are still running SBS I would really consider either a hosted > mail filterung solution that forwards to your server or a linux > box/appliance. > > John > > John > </span> Quote
Guest Juergen Nieveler Posted February 17, 2009 Posted February 17, 2009 tdiab <acans@sbcglobal.net> wrote: <span style="color:blue"> > It sound like there no threat by someone on the internet being able to > telent to the exchange public ip address on port 25, since the > exchange configured not to be an open relay.</span> Technically, somebody STILL could simply telnet to your server (or use a malconfigured email client) to send a mail to one of your users with a fake From:-header. But that's extremely hard to prevent... Juergen Nieveler -- The person sitting across from you expects you to pay for dinner. Quote
Guest John Mason Jr Posted February 17, 2009 Posted February 17, 2009 tdiab wrote:<span style="color:blue"> > Thanks John & Hans, > > You answer most of my questions. > > It sound like there no threat by someone on the internet being able to > telent to the exchange public ip address on port 25, since the exchange > configured not to be an open relay. > > Right now Network Solutions hosting our emails, I'm planning to setup > sbs2008 next few weeks. Do you think if I kept the emails @ Network Sol > server and setup the exchange to pop all the mail box and forward them to the > right user, or shell I go ahead and setup the exchange to host the company > emails?? > > Thanks again.</span> You may want to consider having a hosted antispam/antivirus solution as you advertized MX, then you only need to accept connections from a particular range of IP addresses. When I was administering a small exchange setup I had a small linux appliance in the DMZ that did all the filtering I wanted and gave me the level of control & visibility that I wanted. http://www.roaringpenguin.com/ John Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.