What are the dangers of opening port 25 to allow smtp traffic through? I have a windows server 2003 box which has port 25 blocked (Not by ISP), I know ISP's for usually block this port from use but as I need it for some php scripts I'm running that notify users by email, Is there any dangers or precautionary actions I should take?
Any advice would be appreciated,
Thanks Luke.
If you are thinking of unblocking port 25 on outbound traffic then no, not really. If you are wanting unblock port 25 on incomming traffic to receive email from external scripts into your internal mail server then you need to ensure you have the mail server configured to prevent relaying etc.
Related
I'm trying to test mail to send out emails from my VM at Microsoft Azure but I'm getting this errors!
Nov 3 06:33:22 devvm postfix/smtp[10942]: connect to alt1.gmail-smtp-in.l.google.com[142.250.150.27]:25: Connection timed out
Nov 3 06:33:22 devvm postfix/smtp[10942]: connect to alt1.gmail-smtp-in.l.google.com[2a00:1450:4010:c1c::1b]:25: Network is unreachable
Nov 3 06:33:22 devvm postfix/smtp[10942]: connect to alt2.gmail-smtp-in.l.google.com[2404:6800:4003:c00::1b]:25: Network is unreachable
Nov 3 06:33:22 devvm postfix/smtp[10942]: 4C7CABDD84: to=MyEmailRemoved#gmail.com>, relay=none, delay=57498, delays=57437/0.01/60/0, dsn=4.4.1, status=deferred (connect to alt2.gmail-smtp-in.l.google.com[2404:6800:4003:c00::1b]:25: Network is unreachable)
What I've tried to do is enabled port 25 from azure, but can't figure out how to fix this.
There is restriction of outbound SMTP connection from VMs. The direct SMTP connection from Azure is blocked to protect Azure data center public IP addresses from reputation abuse even if authenticated.
The Outgoing email messages that are sent directly to external domains like outlook.com and gmail.com on TCP port 25 from a virtual machine is possible only when the VM is deployed in certain subscription types.
Even for the VMs which are deployed in the Pay-as-you-go subscriptions the outbound SMTP connections on TCP port 25 are blocked. But you can remove this block if your Azure subscription is in good standing and has a sufficient payment history. You can request to have the restriction removed by going to the Cannot send email (SMTP-Port 25) section of the Diagnose and Solve blade for an Azure Virtual Network resource in the Azure portal.
Only for the virtual machines that are deployed in Enterprise Agreement subscriptions, the outbound SMTP connections on TCP port 25 will not be blocked.
As an workaround its recommended to use authenticated SMTP relay services to send email from Azure VMs. These relay services typically connect through TCP port 587. SendGrid is one such SMTP relay service, but there are others.
Read this Sending Email with Microsoft Azure document for detailed explanation on how to use SendGrid to send mails form Azure VMs.
And for more information on restriction of outbound SMTP connection from VM read this Troubleshoot outbound SMTP connectivity problems in Azure document.
Google's compute engine blocks all outgoing email ports by default. Quote from Compute Engine Documentation
Compute Engine blocks or restricts traffic through all of the following ports/protocols between the Internet and virtual machines, and between two virtual machines when traffic is addressed to their external IP addresses through these ports (this also includes load-balanced addresses):
> All outgoing traffic to port 25 (SMTP) is blocked.
Most outgoing traffic to port 465 or 587 (SMTP over SSL) is blocked, except for known Google IP addresses.
As a solution to this, Google advices the use of third-party sites like SendGrid to manage email. SendGrid can easily help you send email, but receiving emails is not so easy.
Installing an email client on the server won't help because the ports through which these clients need to communicate with other servers to receive emails remain blocked.
My question is what's the easiest solution to receiving email? SendGrid's solution is for sending emails, and the Compute Engine Documentation specifies this. I've installed postfix but all emails to my server receive timeout errors, and my inbox remains empty.
TL;DR - You're right outgoing email ports are blocked, but incoming email ports are not. If you open them, and run a mail server which listens for incoming emails - you can still receive them. You will need to use 3rd party email sender gateways like SendGrid only to send the emails.
Longer version
All outgoing traffic to port 25/465/587 are blocked so that people do not abuse GCE for sending out spam, phishing, etc. emails.
You can still run a mail server which just receives emails. In other words, there is no mention that incoming traffic to those ports are blocked. By default GCE firewall blocks all incoming traffic. You will have to open up these listening ports using firewall rules.
I'm using Mailgun instead of SendGrid. I forward all the emails to one of my gmail accounts using MailGun's forwarding rules. SendGrid too should have forwarding rules.
I have a simple PHP script. It works for any external IP on port 80 but any other port fails. I'm assuming it has to do with the host, so what am I missing to be able to check ports other than 80?
Most hosting systems prevent outgoing connections on other ports than 80 to prevent abuse, for example botscripts connecting to IRC servers or spamscripts connecting to SMTP hosts on 25.
Example hoster explanation.
I'm building an internal web-application in PHP that needs the ability to mail.
I've used the code listed here:
Send email using the GMail SMTP server from a PHP page
and it works like a charm, when I run it from my house. However, when I run the code from the office, I get the following:
Failed to connect to ssl://smtp.gmail.com:465 [SMTP: Failed to connect socket: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (code: -1, response: )]
Any idea how to get around this?
Thanks,
-JWW
I agree with the responder above - this is most likely a firewall blocking outbound connections on port 465. You can either try TLS connection on port 587 or port 25 per Gmail's troubleshooting docs : http://support.google.com/mail/bin/answer.py?hl=en&answer=78775
If you are unable to get around this (if IT will not remove the blocks for example), you could try a third party API as a proxy. Our product http://PostageApp.com can use external mailservers such as Gmail, in addition to our own MTA, and communication is all through standard http REST calls, avoiding the firewall issue.
We're a paid service but have a free plan as well...if you would be sending more email than our free plan allows for (100/day), then you'll probably fall foul of Gmail's sending limits anyway which restrict third party clients to about 100/day outbound.
http://help.postageapp.com/kb/quick-start-guides/php
Disclaimer: I work for PostageApp
It's most probably a firewall at your workplace blocking outgoing connections to port 465. Did you try port 587 instead?
What are the pro and cons of using the SMTP host option of my choice?
Do sending mails from localhost require a specific SMTP host?
Is there any discernible difference on the receiving end between a mail sent via the server where the site resides and a dedicated mail server?
thanks
Luca
This depends if localhost refers to a public server with a proper DNS and reverse DNS entry, or if localhost is a machine you operate from a residential Internet Service Provider.
If localhost is a real server, outbound mails may be delivered a little faster if sent from the same server, and configuration in PHP & others is generally a lot simpler to setup.
If it isn't a proper server though, especially having proper DNS entries, the likelihood of much mail from it actually reaching recipients is low. Most receiving SMTP servers will reject mail if they cannot validate the source via a reverse DNS entry.
If you use a dedicated mail server, you get the benefit of all the inbound & outbound logging being on the same machine, and when receiving SMTP hosts lookup your domain's MX record in DNS, it will already be configured as the mail server rather than the web server. But this just requires a little more configuration on the web server, especially if the mail server requires authentication from the web server rather than treating it as a trusted relay sender.