Exchange and Port Blocking

Exchange and Port Blocking

Post by Brad Fru » Sat, 11 May 2002 23:33:45



We have an Exchange 2000 server with SP2.

We are currently blocking all ports except:

TCP port 25
TCP port 53
TCP port 80
TCP port 110
TCP port 135
TCP port 1494
TCP port 1723
UDP port 53
UDP port 135

And we are allowing all ICMP traffic to come in.

The problem is that when we apply this access list on the router, we
can't send any SMTP messages out from the server and the queue becomes
full.  We can receive messages , but we cannot send messages.  Are we
missing any ports that should be allowed through?

Brad Fruth

 
 
 

Exchange and Port Blocking

Post by Kirill S. Palagi » Sat, 11 May 2002 23:40:02


From Exchange Server's keyboard run
telnet outside.SMTP.server 25

What is theresponse?


> We have an Exchange 2000 server with SP2.

> We are currently blocking all ports except:

> TCP port 25
> TCP port 53
> TCP port 80
> TCP port 110
> TCP port 135
> TCP port 1494
> TCP port 1723
> UDP port 53
> UDP port 135

> And we are allowing all ICMP traffic to come in.

> The problem is that when we apply this access list on the router, we
> can't send any SMTP messages out from the server and the queue becomes
> full.  We can receive messages , but we cannot send messages.  Are we
> missing any ports that should be allowed through?

> Brad Fruth


--
Corrections are welcome.
Please keep all discussions in NG, so that everybody can participate.

Kirill

 
 
 

Exchange and Port Blocking

Post by Robert Conno » Sun, 12 May 2002 00:19:29


Brad,

Are you allowing outbound connections for all of these ports?  If not TCP 25
outbound should be open.  We run Exchange 5.5, and have a very similar list
of allowed outbound connections.  If you are receiving mail, but not sending
I would think outbound.

Robert


> We have an Exchange 2000 server with SP2.

> We are currently blocking all ports except:

> TCP port 25
> TCP port 53
> TCP port 80
> TCP port 110
> TCP port 135
> TCP port 1494
> TCP port 1723
> UDP port 53
> UDP port 135

> And we are allowing all ICMP traffic to come in.

> The problem is that when we apply this access list on the router, we
> can't send any SMTP messages out from the server and the queue becomes
> full.  We can receive messages , but we cannot send messages.  Are we
> missing any ports that should be allowed through?

> Brad Fruth


 
 
 

Exchange and Port Blocking

Post by Barry Margoli » Sun, 12 May 2002 00:23:29




>We have an Exchange 2000 server with SP2.

>We are currently blocking all ports except:

>TCP port 25
>TCP port 53
>TCP port 80
>TCP port 110
>TCP port 135
>TCP port 1494
>TCP port 1723
>UDP port 53
>UDP port 135

>And we are allowing all ICMP traffic to come in.

>The problem is that when we apply this access list on the router, we
>can't send any SMTP messages out from the server and the queue becomes
>full.  We can receive messages , but we cannot send messages.  Are we
>missing any ports that should be allowed through?

You need to allow the reply packets for outgoing connections back in.  On a
Cisco router, you do this with the "established" keyword:

access-list ### permit tcp any host <mailserver> established

--

Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

 
 
 

Exchange and Port Blocking

Post by Rich Matheisen [MVP » Sun, 12 May 2002 05:50:28



>We have an Exchange 2000 server with SP2.

>We are currently blocking all ports except:

>TCP port 25
>TCP port 53
>TCP port 80
>TCP port 110
>TCP port 135
>TCP port 1494
>TCP port 1723
>UDP port 53
>UDP port 135

>And we are allowing all ICMP traffic to come in.

>The problem is that when we apply this access list on the router, we
>can't send any SMTP messages out from the server and the queue becomes
>full.  We can receive messages , but we cannot send messages.  Are we
>missing any ports that should be allowed through?

As with any other sockets application there's an "ephemeral" port used
in the transfer of data. Port 25 is used for sending commands but
there's a dynamically assigned port above 1023 that's also used.

where is the server? Is it in the DMZ or on your secured LAN? If it's
on the LAN, why on earth do you have port 135 open on the DMZ? YIKES!
If it's on the DMZ you don't have the correct set of ports opened,
either.

--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm