Ports required for mail server?

[lieb39]

Hello everyone,

I've got a exchange server running at home, working fine and all that. I've got iMAP open, and OWA. Other than that, what ports are required to be open so that email can be recieved by my server, etc? I want to close off unnecessary ports / lockdown the Exchange server.

Last thing I want is my server being used to send SPAM mail.

I've got 25 (SMTP) and 53 (DNS) open at the moment, going to the server.

Cheers,

lieb39

[Guest]

Don't need incoming DNS. The only port really is 25, unless your wanting IMAP and OWA remotely?

What version and SP are you running?

[lieb39]

2003, SP2.

I've got the IMAP and OWA setup, know which ports take those up. So just port 25 eh?

Is there a guide to hardening 2003?

Cheers

[Guest]

IMAP = 143

Exchange Default OWA is 80, however the recommended setup is to make OWA secure (HTTPS). HTTPS = 443.

There's a guide here or here. Personally I would sooner buy a cheap 1 year RapidSSL certificate from NameCheap rather than using self-signed certificates.

[+BudMan MVC]

Curious why type of connection you have? Running a server on a home connection to receive email is rarely an issue unless your isp blocks 25. It's quite often the sending to the major domain players that can be a problem. Quite a lot them will block email from dynamic listed IPs, ie home type connections. Others can block if your PTR does not match your forward for your IP does not match, etc.

Some tell you right up front, others will just drop your messages with out notice, etc.

--

Connected to mailin-02.mx.aol.com.

Escape character is '^]'.

554- (RTR:DU) http://postmaster.info.aol.com/errors/554rtrdu.html

554 Connecting IP: 71.x.x.x

Connection closed by foreign host.

AOL works with http://www.spamhaus.org to maintain lists of dynamic and residential IP addresses using the PBL database. Per our E-mail Guidelines, we do not accept mail from these addresses, as it is difficult to determine who is responsible for mail being generated by these IP's.

--

To be honest running a email server other than for play/testing on a home connection ends up being nothing more than an exercise in futility and a waste of time and money. Gmail for example will host your domains email for FREE if you were not aware ;) So why should spend time and effort and money running an exchange that could have issues sending to major domains, etc.. Having to worry if its up, is it sending spam, etc.. etc.. So good luck.

As to ports being open or not has little to do with your exchange server ending up a spam relay. If the server is not listing on the ports it makes little difference if they are open or not. Problem with a windows server is you would not want all the file sharing/windows ports open to the public. But if all of these services were turned off -- and it was only listening on the ports used, etc.

As stated unless the box is running dns -- it has no use of a 53 to it. How is this box connected to the public net? Directly with a public IP, or is behind a nat router - or just a firewall? how are you allowing/disallowing ports to it?

As to hardening exchange - what flavor of exchange?

http://technet.microsoft.com/en-us/library/aa996732.aspx

Introduction to the Exchange Server 2003 Security Hardening Guide

http://www.msexchange.org/articles_tutoria...2007-part1.html

Hardening Exchange Server 2007 - Part 1: Introductory Steps

As to using self signed certs.. Depends on how you are using it -- if just you or a few of your friends, etc.. Then a selfsigned cert, or a free one from http://www.cacert.org/ is JUST fine.. The only reason you would ever have to pay for a SSL cert is depending on the userbase -- ie do you want them to have to add trust to their browser for your CA, or some other third party CA.. Or do you want their browser to auto trust it, since its signed by a major player CA.

There is NO difference in performance or security between a selfsigned or free issued ssl cert -- it just comes down to if the users browser will trust it out of the box is all. Also the major players make you prove who you are, so your customers can have some trust that your really Company X running domainX and that you have legal right to the domain, etc.

Edited July 25, 2008 by BudMan