Checking for port 25 usage

[bluerayconcepts]

How would i go about checking for active usage of port 25. I am wanting to move forward with disabling it completely and I know the majority of customer are using smtp auth 587 but I wanna make sure there is no one left with some rogue mail setup still using port 25.

I can use - netstat -n -A inet to see active connection at the moment but its only at that moment. Is there a way to log active connections to a file so I can scrub it later and see if there is anyone using it.

 

[quietFinn]

You can not disable port 25. Mail servers sending to your server connect to port 25.

 

[bluerayconcepts]

Then how do ISP's get away with blocking port 25. That makes no sense.

I work for an ISP as my day job and we do not allow anything on Port 25.

 

[quietFinn]

Then how do ISP's get away with blocking port 25. That makes no sense.

I work for an ISP as my day job and we do not allow anything on Port 25.

If the ISP does not allow anything on port 25 then they are not able to receive emails from other servers.

ISP's block outgoing connections on port 25, except when the connection is made to their mail server (that's how it works with every ISP here in Finland), or they can force their customers to use another port.

 

[cPanelMichael]

Hello

Yes, you should leave port 25 open so that other mail servers can connect to your server. However, you can modify the following option under the "Security" tab in "WHM Home » Service Configuration » Exim Configuration Manager":

"Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server."

Per it's description, enabling this option will significantly improve the security of the server by preventing the plaintext transmission of authentication credentials.

Thank you.

 

[JaredR.]

Then how do ISP's get away with blocking port 25. That makes no sense.

I work for an ISP as my day job and we do not allow anything on Port 25.

They block port 25 for their end user customers. I think you may be confused between an ISP blocking port 25 for its end users to send mail, and how servers send mail to other servers.

The ISP still sends mail to other servers on port 25. Port 25 is the Internet SMTP port. If you disable it, you will break mail for your server.

Mail servers always use port 25 to send mail to other servers. That is the Internet standard, and there are no alternate ports. If you block port 25, mail servers that are trying to send mail to your server will only see that port 25 is blocked, and they will not automatically try port 587, because that is not what port 587 is for. Your server will simply not receive any mail because the sending servers will see only that port 25 is blocked, and give up.

Port 587 is the mail submission port, not the port that mail servers use to talk to each other. It is the port to which a mail client (Outlook, Thunderbird) connects on a server. However, once the server gets the message to be sent from a client, it contacts the remote mail server at the message's destination on port 25, every time.

Blocking port 25 will certainly prevent your customers from sending mail on it, but it will also block all other servers on the Internet from sending mail to your server, effectively breaking mail.

 

[bluerayconcepts]

Ok thats what im getting at. Not blocking it totally but rather not to allow outgoing connections to it.

So back to my original question:
Is there a way to see log port usage connections so I can see if there is anyone using port 25 for outgoing connections?

 

[quietFinn]

Ok thats what im getting at. Not blocking it totally but rather not to allow outgoing connections to it.

So back to my original question:
Is there a way to see log port usage connections so I can see if there is anyone using port 25 for outgoing connections?

You don't need to check anything, you can block outgoing connections on port 25, except for root, exim and mailman.
If you use CSF you set:

SMTP_BLOCK = 1

Block outgoing SMTP except for root, exim and mailman (forces scripts/users to use the exim/sendmail binary instead of sockets access)

 

[bluerayconcepts]

I want to check so that if there are any customers using port 25 I can premptively call them to get them to change to 587. This way I don't get alot of calls from ticked off customers that they can't send.

I know about CSF I have been using for the last 4 years.

I want to check.

 

[bluerayconcepts]

Actually. Looking at CSF Logs it shows ip and port info. Looking in /log/messages may work or maybe it won't.

 

[quietFinn]

I want to check so that if there are any customers using port 25 I can premptively call them to get them to change to 587.

I don't quite understand... where should they do that change?

 

[Tom Risager]

iptables could do it for you: linux - How to log the ip addresses trying to connect to a port? - Server Fault

I'm not sure I understand why you want to call them and make them change to 587, though. Usually you would provide an alternative port to allow them to connect to the SMTP server even if their ISP is blocking port 25. If port 25 works for them then there is no issue. And like others have pointed out, you cannot really block port 25 and have a working email service.

 

[bluerayconcepts]

I am not sure why my question was not understood.

Basically I do not want anyone on my server using port 25 for outgoing. I want them all using 587. So I want to see if anyone on the server is using port 25 to send email. If there are then I can figure out who it is and I can contact them and get them moved over to 587 with smtp auth.

Not sure why that has been so hard to understand. Rather than just disabling outgoing port 25, yes i understand that incoming port 25 must stay open for other servers to connect, and then having customers cal pissed off because they can't send.

Essentially, I do not want to allow port 25 for outgoing mail connections. Not sure why thats hard to understand.

 

[quietFinn]

Essentially, I do not want to allow port 25 for outgoing mail connections. Not sure why thats hard to understand.

It is not hard to understand.
But you don't seem to understand that emails sent out from your server are always sent on port 25.

 

[bluerayconcepts]

No I get that. I apologize if I didn't make that clear.
I understand or at least I believe I do, that correct me if I am wrong, Server to server mail uses port 25 to send.

I don't want my customers connecting to our server using port 25 to send mail. I want them all using 587.

 

[quietFinn]

I don't want my customers connecting to our server using port 25 to send mail. I want them all using 587.

Did some googling and found this:
smtp - How can I force users to send mail using submission port (587) with Exim? - Server Fault

 

[bluerayconcepts]

So I have been watching logs and trying to catch some glimpse of something maybe I missed due to continually being blocked by hotmail and Brightmail.

Something I keep seeing is the following:
2013-07-28 09:08:58 [10237] SMTP connection from [186.176.119.38]:58183 I=[162.209.14.192]:25 (TCP/IP connection count = 1)
2013-07-28 09:08:58 [11675] no host name found for IP address 186.176.119.38
2013-07-28 09:08:58 [11675] list matching forced to fail: failed to find host name for 186.176.119.38
2013-07-28 09:08:58 [11675] list matching forced to fail: failed to find host name for 186.176.119.38

I am presuming this is someone trying to connect to port 25 trying to send email but failing.

 

[cPanelMichael]

That is a SMTP connection to your server on port 25. It fails because there is no reverse DNS entry for that IP address pointing to a host name.

Thank you.