Is it a good idea to limit the range of servers that can connect to port 25?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Is it a good idea to limit the range of servers that can connect to port 25?

Chris Green-11
I have run postfix for a number of years on my home (xubuntu) server
machine with my router firewall limiting connections on port 25 to
just the range of IP addresses which are my domain hosting company's
SMTP servers.

This caused me a problem recently when they started using a new SMTP
server which wasn't in the ranges allowed by my firewall.

I can obviously add the address of the new server but would have the
same problem the next time they add a new server.  Their support is
pretty good but maybe asking them to tell me whenever they change
things might be a bit much.

Is there much risk if I open up port 25 to any IP address?  I have it
this way at the moment and there are only a few (as in ten or a dozen)
rogue connections per day so it doesn't seem as if port 25 is really
very popular for hackers and such.

I obviously have things set up to prevent relaying etc. (at least I
hope I have!).  If I leave things the way they are with port 25 open
to anyone are there any other precautions I can take or regular things
to check?  Is there even some sort of utility like fail2ban that works
with postfix (can't be exactly the same as there's no password
involved).

--
Chris Green
Reply | Threaded
Open this post in threaded view
|

Re: Is it a good idea to limit the range of servers that can connect to port 25?

Noel Jones-2
On 12/1/2017 12:19 PM, Chris Green wrote:

> Is there much risk if I open up port 25 to any IP address?  I have it
> this way at the moment and there are only a few (as in ten or a dozen)
> rogue connections per day so it doesn't seem as if port 25 is really
> very popular for hackers and such.
>



You'll probably get a few relay attempts per day, unlikely more than
low hundreds.  You also may see some AUTH attempts, which will
always fail since you apparently don't offer AUTH. These aren't
dangerous and don't use enough CPU or bandwidth to worry about
unless you have an expensive metered connection such as a satellite
link.

You can use fail2ban with postfix to scan the logs for failed relay
attempts and failed AUTH logins to block repeat offenders, but
that's not really necessary since relay and AUTH will never work for
them.

Since you're expecting connections from a specific provider, feel
free to block other countries at your firewall to cut down on the noise.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Is it a good idea to limit the range of servers that can connect to port 25?

Viktor Dukhovni
In reply to this post by Chris Green-11


> On Dec 1, 2017, at 1:19 PM, Chris Green <[hidden email]> wrote:
>
> I have run postfix for a number of years on my home (xubuntu) server
> machine with my router firewall limiting connections on port 25 to
> just the range of IP addresses which are my domain hosting company's
> SMTP servers.

Is this outbound or inbound?  If inbound, why do you only expect
SMTP connections from the hosting provider?  If outbound, why port
25 and not 587?

> Is there much risk if I open up port 25 to any IP address?  I have it
> this way at the moment and there are only a few (as in ten or a dozen)
> rogue connections per day so it doesn't seem as if port 25 is really
> very popular for hackers and such.

Can you explain these "rogue" connections?  If inbound, that's expected,
if outbound, what on your network would be making unexpected outbound
connections and why?

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Is it a good idea to limit the range of servers that can connect to port 25?

Matus UHLAR - fantomas
In reply to this post by Chris Green-11
On 01.12.17 18:19, Chris Green wrote:
>I have run postfix for a number of years on my home (xubuntu) server
>machine with my router firewall limiting connections on port 25 to
>just the range of IP addresses which are my domain hosting company's
>SMTP servers.

how do you receive mail? Do they forward mail to your private domain?
or do you run public domain where your provides ir MX for?

what's your need to run SMTP server on port 25 when you don't want to
receive mail from the world?
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers.
Reply | Threaded
Open this post in threaded view
|

Re: Is it a good idea to limit the range of servers that can connect to port 25?

Chris Green-11
In reply to this post by Viktor Dukhovni
On Fri, Dec 01, 2017 at 02:42:44PM -0500, Viktor Dukhovni wrote:

>
>
> > On Dec 1, 2017, at 1:19 PM, Chris Green <[hidden email]> wrote:
> >
> > I have run postfix for a number of years on my home (xubuntu) server
> > machine with my router firewall limiting connections on port 25 to
> > just the range of IP addresses which are my domain hosting company's
> > SMTP servers.
>
> Is this outbound or inbound?  If inbound, why do you only expect
> SMTP connections from the hosting provider?  If outbound, why port
> 25 and not 587?
>
It's inbound.  My home machine is zbmc.eu but I use [hidden email]
as 'my' E-Mail, all my mail is delivered to my hosting provider (who
also hosts my isbd.co.uk domain) and forwarded to zbmc.eu.  I never
get E-Mail addressed directly to [hidden email].


> > Is there much risk if I open up port 25 to any IP address?  I have it
> > this way at the moment and there are only a few (as in ten or a dozen)
> > rogue connections per day so it doesn't seem as if port 25 is really
> > very popular for hackers and such.
>
> Can you explain these "rogue" connections?  If inbound, that's expected,
> if outbound, what on your network would be making unexpected outbound
> connections and why?
>
Inboud, so expected I guess.

--
Chris Green
Reply | Threaded
Open this post in threaded view
|

Re: Is it a good idea to limit the range of servers that can connect to port 25?

Chris Green-11
In reply to this post by Matus UHLAR - fantomas
On Fri, Dec 01, 2017 at 08:43:08PM +0100, Matus UHLAR - fantomas wrote:
> On 01.12.17 18:19, Chris Green wrote:
> > I have run postfix for a number of years on my home (xubuntu) server
> > machine with my router firewall limiting connections on port 25 to
> > just the range of IP addresses which are my domain hosting company's
> > SMTP servers.
>
> how do you receive mail? Do they forward mail to your private domain?
> or do you run public domain where your provides ir MX for?
>
Their SMTP servers receive mail for my various addresses as they host
the related domains (isbd.co.uk and isbd.net among others).  All this
mail is simply forwarded to [hidden email].  My home server is the MX
for zbmc.eu (as well as being zbmc.eu).


> what's your need to run SMTP server on port 25 when you don't want to
> receive mail from the world?

It's just the nicest way to receive mail as it's there ready and waiting
for me in my Unix style mail spool whenever I run my mail program.

--
Chris Green
Reply | Threaded
Open this post in threaded view
|

Re: Is it a good idea to limit the range of servers that can connect to port 25?

Chris Green-11
In reply to this post by Noel Jones-2
On Fri, Dec 01, 2017 at 01:29:21PM -0600, Noel Jones wrote:

> On 12/1/2017 12:19 PM, Chris Green wrote:
>
> > Is there much risk if I open up port 25 to any IP address?  I have it
> > this way at the moment and there are only a few (as in ten or a dozen)
> > rogue connections per day so it doesn't seem as if port 25 is really
> > very popular for hackers and such.
> >
>
> You'll probably get a few relay attempts per day, unlikely more than
> low hundreds.  You also may see some AUTH attempts, which will
> always fail since you apparently don't offer AUTH. These aren't
> dangerous and don't use enough CPU or bandwidth to worry about
> unless you have an expensive metered connection such as a satellite
> link.
>
No, cheap and unmetered VDSL so a few extra bytes is irrelevant.


> You can use fail2ban with postfix to scan the logs for failed relay
> attempts and failed AUTH logins to block repeat offenders, but
> that's not really necessary since relay and AUTH will never work for
> them.
>
OK.


> Since you're expecting connections from a specific provider, feel
> free to block other countries at your firewall to cut down on the noise.
>
That's a point, I can at least do that to reduce unwanted connections
a bit.

However it does sound like I shouldn't be too worried about it.  :-)

Thanks everyone.

--
Chris Green
Reply | Threaded
Open this post in threaded view
|

Re: Is it a good idea to limit the range of servers that can connect to port 25?

Bill Cole-3
In reply to this post by Chris Green-11
On 1 Dec 2017, at 15:19 (-0500), Chris Green wrote:

> I never
> get E-Mail addressed directly to [hidden email].

You've solved that problem now. :)


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole