zimbra sending without port 25?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
zim_mike
Outstanding Member
Outstanding Member
Posts: 333
Joined: Sat Sep 13, 2014 3:26 am

zimbra sending without port 25?

Post by zim_mike »

Our server was recently blacklisted by a couple of automated blacklist services.
Automated services are the worst. It's been two days since we found and fixed the problem but these service won't clear our IP so we still have mail bouncing all over the place. It is absurd to me that anyone could set up a blacklist server and ultimately cause hardship to small companies that depend on their emails getting out.

That said, one of those companies offer this text;


>We strongly suggest blocking outgoing connections with a destination port of 25 TCP in your firewall for all systems not used as mail relays.

We have one mail server and all of our Linux servers relay via sendmail to that server. Sendmail is using port 25.
Since I don't deal with mail servers day in and out, it's easy for me to forget how things work and the question might sound pretty amateurish :).

SMTP servers send and receive email using port 25 right. Meaning, I could add a firewall rule on the zimbra server to allow port 25 connections only from our known Linux servers.
Their suggestion seems to say block outgoing port 25 so how would world wide servers receive email from our zimbra server?

I'm missing something and it's very simple I'm sure.

Help!
Last edited by zim_mike on Wed Apr 26, 2023 5:41 pm, edited 2 times in total.
lytledd
Outstanding Member
Outstanding Member
Posts: 536
Joined: Sat Sep 13, 2014 12:54 am
ZCS/ZD Version: Release 9.0.0.ZEXTRAS.20221203 FOSS

Re: zimbra sending without port 25?

Post by lytledd »

SMTP servers send and receive email using port 25 right. Meaning, I could add a firewall rule on the zimbra server to allow port 25 connections only from our known Linux servers.
Their suggestion seems to say block outgoing port 25 so how would world wide servers receive email from our zimbra server?

They're talking about for the end users.

I use ASSP for SPAM filtering and only accept port 587 (Submission port) for authentication. So, I have ASSP set to not allow for authentication on port 25. As a bonus, I've got Fail2Ban rule blocking those that do try to do auth on port 25.

As for my servers, I've got rules for them in ASSP to allow auth on 25, if they don't support anything else.

How you'd do this in SPAM Assassin, I do not know, since I've never used it.

Doug
zim_mike
Outstanding Member
Outstanding Member
Posts: 333
Joined: Sat Sep 13, 2014 3:26 am

Re: zimbra sending without port 25?

Post by zim_mike »

Thanks for the reply. I used ASSP in front of the mail server for a long time but ASSP and it's never ending addition of featrues and controls eventually overwhelmed so I got rid of it.
I posted this thinking maybe I was not aware of some new methods that don't use port 25 or something but I guess like you say, that is not the case.
User avatar
Rony
Posts: 46
Joined: Fri Jan 27, 2017 3:50 pm
Location: Canada-Montreal
ZCS/ZD Version: Zimbra 9.0.0_GA_4174
Contact:

Re: zimbra sending without port 25?

Post by Rony »

Hello Mike,
I am having the same issues with my ISP blocking port 25.
I haven't find any solution yet and I am not as advanced as you are, did you manage to bypass that?
The issue is not on the mail server as I have seen solutions to redirect 25 to another port but that will not solve it since nothing would pass the wan IP on port 25 to redirect it.
Thank you
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2806
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.7 Network Edition
Contact:

Re: zimbra sending without port 25?

Post by L. Mark Stone »

Rony wrote:Hello Mike,
I am having the same issues with my ISP blocking port 25.
I haven't find any solution yet and I am not as advanced as you are, did you manage to bypass that?
The issue is not on the mail server as I have seen solutions to redirect 25 to another port but that will not solve it since nothing would pass the wan IP on port 25 to redirect it.
Thank you
This post is almost three years old. Suggest you contact your ISP if they are blocking TCP port 25 either outbound or inbound to find out why, rather than wait for a reply from the OP.
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
zim_mike
Outstanding Member
Outstanding Member
Posts: 333
Joined: Sat Sep 13, 2014 3:26 am

Re: zimbra sending without port 25?

Post by zim_mike »

Hi,

ISP's don't block port 25, that would be crazy on their part to get caught doing that.

@Rony,

>I am having the same issues with my ISP blocking port 25.
>I haven't find any solution yet and I am not as advanced as you are, did you manage to bypass that?
>The issue is not on the mail server as I have seen solutions to redirect 25 to another port but that will not solve it since nothing
>would pass the wan IP on port 25 to redirect it.

If your provider is blocking port 25, you should file a complaint because they should not be doing that.

I'm not sure what you are facing but the point of that is simply not to allow non known mail servers to send email out.
Email should always be sent from an authorized email server and not directly from any server as it will be seen as spam.

An official mail server simply means one that has everything set up correctly, forward/reverse DNS including in your providers records if needed, SPA, DMARC, etc etc.
User avatar
Rony
Posts: 46
Joined: Fri Jan 27, 2017 3:50 pm
Location: Canada-Montreal
ZCS/ZD Version: Zimbra 9.0.0_GA_4174
Contact:

Re: zimbra sending without port 25?

Post by Rony »

Hi,

I didn't check the replies since my last post.
Thank you for your contributions.
In Canada, Telecom regulations authorizes the blocking of port 25 to avoid spamming from a private IP address, of course that would not happen if my Zimbra sever was setup with an external host provider.
So Bell the largest Fiber (& DSL) provider does block some ports for outgoing messages, I purposely have subscribed with them by taking a small business plan and they blocked the port as well, so I stopped the plan and they still invoiced me despite me putting a prior condition about that blockage.
They are quite dishonest in their marketing approach, the representatives don't really talk to the technical teams and they sell just words but no real results.
But the other major Cable company Videotron doesn't block that port, so my server is working fine with them or any sub-provider which uses their services like VMEDIA that serves me, and despite that they do not offer a business plan, it serves my purpose and is not expensive.
I cannot afford having an external host for my personal email server, I am not making any money out of it, I just manage it myself and soon I need to migrate to V.10 which I am not so comfortable with the process yet.
Post Reply