Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Close port 25 to clients but open for mail servers?

Discussion in 'E-mail Discussion' started by keat63, Dec 19, 2018.

Tags:
  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,205
    Likes Received:
    74
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I've sort of discussed this on here before, but don't recall me finding a solution.
    Maybe there is no solution.

    In CSF I have all email ports closed globally, but whitelisted the UK.
    I also have CSF configured, in the event that you fail authentication three times, the IP is blacklisted.

    The problem I have is that I can't close port 25.
    If I do so, then this closes the port for legitimate traffic, ie other mail servers, which then kills all email.

    A consequence of this means that I still see failed global smtp authentication attempts, I can only assume potential bad guys trying to authenticate on port 25.

    It's not a huge problem as I guess 99% of authentication attempts are probably already being denied in the background, and the remaining 1% are being blacklisted after 3 failed attempts.
    It doesn't stop them retrying though, sometimes resulting in a Block C blacklisting.

    Is it possible to somehow have port 25 closed to clients, but open to servers.
    Do mail servers do some form of handshake to say "hey, I'm a server"
     
    #1 keat63, Dec 19, 2018
    Last edited: Dec 19, 2018
  2. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,349
    Likes Received:
    143
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    Doing what you are suggesting is not possible afaik. Ports are either open or closed in the firewall, it cant make a distinction between a server connection and a client connection.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,205
    Likes Received:
    74
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Yes, I suspect this is the case.
     
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,890
    Likes Received:
    150
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    No, they do not.

    Your only solution is to require SMTP authentication for relaying mail (sending mail from the server to domains that don't exist on your server ... i.e. exist in /etc/localdomains).

    That's how the distinction is made.

    If a connection comes into your mail server and it's recipient domain is not a local domain... then that connection is relaying out mail. You will want to restrict who can relay out mail to properly authenticated accounts.

    If a connection comes into your mail server ans it's recipient domain is a local domain... then the message is delivered appropriately to the account as stated... assuming it exists.
     
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,002
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @keat63,

    I concur with the other posts here. Let us know if you have any additional questions.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,205
    Likes Received:
    74
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Hi Sparek

    I don't quite follow.
    However, I'm confident that I'm pretty much locked down, so I'll settle with what I have I guess.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice