Skip to main content

Port 25 is the default port for incoming and outgoing mail flow. But, it doesn’t mean you need to allow port 25 for incoming and outgoing mail to everyone (all). Instead, Exchange Server port 25 should be only accessible from and to the cloud spam filter for optimal security. In this article, you will learn how to limit access to and from port 25 on Exchange Server.

Spam filter

If you don’t have a third-party spam filter in the organization, you are asking for trouble. I recommend the SpamBull cloud spam filter as a third-party spam filter. It’s simple and easy to manage. If you have Microsoft Exchange Online Protection (EOP) as a hygiene solution, that’s okay.

Important: Always use a hygiene solution to filter incoming and outgoing mail.

Limit access to and from port 25 on Exchange Server

There are two organization configuration possibilities. That’s one of the below setups:

  • Exchange On-Premises
  • Exchange Hybrid

Let’s look at the best practices for configuring the firewall port 25 on Exchange Server.

Note: Some firewalls do not work when adding the third-party spam filter or Exchange Online endpoints hostname(s), and you must enter their public IP addresses.

Limit access port 25 design

Exchange On-Premises

Mailboxes are on-premises. You route all mailboxes through the third-party spam filter.

Purpose Port Source Destination
Inbound mail 25 Third-party spam filter Exchange Server
Outbound mail 25 Exchange Server Third-party spam filter

Port 25 is only reachable between the third-party spam filter and Exchange Server. Nothing else can contact port 25 from inbound/outbound.

Exchange Hybrid

Mailboxes are on-premises, in the cloud, or in both places. You route all mailboxes through EOP (Microsoft).

Purpose Port Source Destination
Inbound mail 25 Exchange Online endpoints Exchange Server
Outbound mail 25 Exchange Server Exchange Online endpoints

Port 25 is only reachable between the Exchange Online endpoints and Exchange Server. Nothing else can contact port 25 from inbound/outbound.

Mailboxes are on-premises, in the cloud, or in both places. You route all mailboxes through the third-party spam filter.

Purpose Port Source Destination
Inbound mail 25 Third-party spam filter Exchange Server
Outbound mail 25 Exchange Server Third-party spam filter

Port 25 is only reachable between the third-party spam filter and Exchange Server. Nothing else can contact port 25 from inbound/outbound.

Leave a Reply