EN
Русский
TCP
Dangerous
Mail
Port 25 (SMTP)
Learn about port 25 (SMTP) - security risks, vulnerabilities, and common uses. Find devices with port 25 open.
Quick Info
Port Number
25
Protocol
TCP
Service
SMTP
IANA Name
SMTP
Service Description
Port 25 is the standard TCP port for Simple Mail Transfer Protocol (SMTP). SMTP is the protocol used for transmitting email messages between mail servers. Historically, it was used for both sending mail from a client to a mail server (mail submission) and for relaying mail between mail servers (mail transfer). However, due to security concerns and the rise of spam, modern email systems often use port 587 (Message Submission Agent) for client-to-server submission and port 465 (deprecated, now often used for implicit TLS SMTP) or 587 with STARTTLS for secure submission. Port 25 remains primarily for mail transfer between servers.
The SMTP protocol operates over TCP. A client (typically a mail server) initiates a connection to the server on port 25. The server responds with a greeting. The client then identifies itself using the `EHLO` or `HELO` command. A series of commands follow, including `MAIL FROM:` (specifying the sender's address), `RCPT TO:` (specifying the recipient's address), and `DATA` (containing the message content). After the data is sent, the server responds with an acknowledgment code. The connection can then be used to send more messages or closed using the `QUIT` command. SMTP relies on DNS MX records to determine the appropriate mail server for a given domain.
## Firewall Recommendations
Blocking inbound port 25 on your network is generally recommended unless you are operating a mail server that directly receives mail from the internet. For outbound traffic, it is crucial to implement strict filtering policies to prevent internal machines from directly sending email to the internet. Instead, route all outbound email through a designated mail server (MSA) using port 587 with TLS. If you must allow inbound port 25, implement robust security measures, including strict access controls, spam filtering, and regular security audits. Consider using SPF, DKIM, and DMARC to authenticate email and prevent spoofing. Keep your SMTP server software up to date with the latest security patches. Monitor SMTP traffic for suspicious activity, such as high volumes of outbound mail or connections from unusual locations.
The SMTP protocol operates over TCP. A client (typically a mail server) initiates a connection to the server on port 25. The server responds with a greeting. The client then identifies itself using the `EHLO` or `HELO` command. A series of commands follow, including `MAIL FROM:` (specifying the sender's address), `RCPT TO:` (specifying the recipient's address), and `DATA` (containing the message content). After the data is sent, the server responds with an acknowledgment code. The connection can then be used to send more messages or closed using the `QUIT` command. SMTP relies on DNS MX records to determine the appropriate mail server for a given domain.
## Firewall Recommendations
Blocking inbound port 25 on your network is generally recommended unless you are operating a mail server that directly receives mail from the internet. For outbound traffic, it is crucial to implement strict filtering policies to prevent internal machines from directly sending email to the internet. Instead, route all outbound email through a designated mail server (MSA) using port 587 with TLS. If you must allow inbound port 25, implement robust security measures, including strict access controls, spam filtering, and regular security audits. Consider using SPF, DKIM, and DMARC to authenticate email and prevent spoofing. Keep your SMTP server software up to date with the latest security patches. Monitor SMTP traffic for suspicious activity, such as high volumes of outbound mail or connections from unusual locations.
Security Information
Port 25 is a prime target for attackers due to its fundamental role in email communication and its historical use without encryption. Open relay servers, which accept and forward mail from any source, are highly susceptible to abuse for spam distribution. Attackers can exploit misconfigured or outdated SMTP servers to relay spam, phish, or distribute malware. Servers running vulnerable versions of SMTP software can be compromised through buffer overflows, command injection, or other vulnerabilities. Even properly configured servers can be targeted with denial-of-service (DoS) attacks. The lack of proper authentication and authorization mechanisms in older SMTP implementations makes them susceptible to spoofing and unauthorized access. Attackers may also attempt to harvest email addresses from open SMTP servers or use them to launch brute-force attacks against user accounts.
Known Vulnerabilities
| CVE | Name | Severity | Description |
|---|---|---|---|
| CVE-2023-51765 | Exim SMTPd TLS Improper Certificate Validation Vulnerability | High | A vulnerability exists in Exim's SMTPd where it may not properly validate TLS certificates, potentially allowing man-in-the-middle attacks. |
| CVE-2023-42115 | Citrix ShareFile Storage Zones Controller - Remote Code Execution | Critical | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Citrix ShareFile Storage Zones Controller. Authentication is not required to exploit this vulnerability. |
| CVE-2020-14386 | Postfix before 3.5.6 has a local root privilege escalation vulnerability | High | Postfix before 3.5.6 has a local root privilege escalation vulnerability because of incorrect handling of setgid programs that are executed with the owner's permissions. This is related to the postdrop program. |
Malware Associations
- Cutwail Botnet
- Rustock Botnet
- Necurs Botnet
- Spamhaus Blacklist
- Various Email Phishing Campaigns
Common Software
- Postfix
- Sendmail
- Microsoft Exchange Server
- Exim
- Qmail
- Zimbra
- hMailServer
- Courier Mail Server
- Kerio Connect
- OpenSMTPD
Find all devices with port 25 open
ScaniteX scans millions of IPs to find devices with specific ports open. Perfect for security research and network auditing.
Start Mass Scanning