115

I have just finished setting up a Postfix mail server on a linux (ubuntu) platform. I have it sending and receiving email and it is not an open relay. It also supports secure smtp and imap.

Now this is a pretty beginner question but should I be leaving port 25 open? (since secure smtp is preferred). if so then why?

Also what about port 587?

Also should I require any authentication on either of these ports?

Please excuse my ignorance in this area :P

radman
  • 1,621
  • 3
  • 16
  • 17

1 Answers1

183

Port 25 needs to be open in order for it to receive mail from the internet. All mail servers will establish a connection on port 25 and initiate TLS (encryption) on that port if necessary.

Secure SMTP (port 465) is used only by clients connecting to your server in order to send mail out.

Port 587 is considered a submission port. It is also what clients use to send mail out using your server. Port 587 is preferred in SMTP settings of clients over port 25 because port 25 is blocked by many ISPs. If you have port 465 open, you don't necessarily need port 587 open as well, but I believe 587 is considered a standard and 465 is considered legacy.

Port 25 should accept anonymous connections, but not for relaying

Ports 465 and 587 should reject anonymous connections and allow relaying.

Don't apologize for not knowing. We all start somewhere, and nobody on here knows everything :-)

Jason Berg
  • 18,954
  • 6
  • 38
  • 55
  • 17
    You forgot IMAP (143 and 993 for IMAP and IMAP TLS/SSL respectively). – gravyface Jun 10 '10 at 02:50
  • 3
    You pretty squarely hit the nail on the head; particularly that Port 25 should never relay, and port 465/587 should only allow authenticated connections; though this is rarely the case as historically e-mail security was incredibly lax (causing many of the problems we have these days) and interoperability demands the lax security. Also POP3 runs on 110 or 995 (SSL). – Chris S Jun 10 '10 at 02:51
  • 4
    Actually, port 25 is also needed to send emails, it's used by mail servers to communicate with each other. It's the only outgoing port needed if your server only send emails. – B Medeiros Feb 18 '14 at 19:04
  • 48
    +1 for the last sentence, Jason. The internet needs more like you. – Oliver Moran Mar 28 '15 at 21:17
  • 1
    Mail servers also need to be DNS clients, so you may also need to allow traffic initiated in the outgoing direction for port 53 for both TCP and UDP. – vk5tu Jul 26 '17 at 12:47
  • @Jason Berg I found your answr unclear. You say "Port 25 needs to be open" then you say Port 587 is preferred to Port 25. So which is it? Both? One or the other? – Jonathan May 14 '21 at 09:10
  • How to ensure "but not for relaying"? – sureshvv Oct 15 '21 at 08:02
  • Am I right saying all these ports need TCP traffic allowed and additionally 143,587,993 need the UDP as well? – muthuh Mar 17 '22 at 20:42