Closing Port 25: General Advice
Back
Closing Port 25: General Advice
Routers and firewalls should be configured with port 25 disabled and SMTP Authentication enabled.
- Disabling port 25 will not stop mail software from working normally. The software for email clients, used to read and send email, operate on different ports (587 or 465), and such clients are able to access your ISP’s mail servers after being correctly configured with SMTP Authentication. From the user’s perspective there is no difference.
- The majority of home networks will not be running a private mail server.
- Some routers will allow you to configure a specific device, and only that device, to access port 25, and those can allow a mail server to operate on the router as well as preventing other devices from making malicious SMTP connections. If a private mail server is being used, this is the ideal solution.
- Closing port 25 will only prevent the abusive connections from leaving your network. If the problem is (for example) an infected mobile phone, when it moves to another insecure network, it will resume its activity without restriction. To find and eliminate the source of the problem, the process of elimination outlined in the WiFi and Home Networks FAQ should work. If not, seek professional help.
- Most routers provided by ISPs will have documentation regarding their configuration available on the ISP’s website. Enterprise equipment will have documentation online, or already provided to your IT department, and both types of gear should offer telephone support.
- When configuring a router to block port 25, it is best to not specify the source port (or use the ranges 0-65535 or 1-65535 if you cannot leave the source port values blank), and instead to only specify the destination port, as it can happen that a rule written that specifies both, will only catch traffic that matches both criteria of the rule.
- Make sure you reboot the router when finished; some routers require this action before changes to the rules take effect.
- Mikrotik routers had vulnerable software. Most Mikrotiks have been patched, but in case yours still needs an update, you can find the current version on their website.
For help with any configuration of routers, devices, or email software, please refer to the device documentation, your ISP or IT department for assistance.
Back