Will blocking port 25 on a router cripple outlook clients?

networking spam routing botnet

I work at a small ISP, we manage about 60 buildings with p2p radios and a main cisco router at a central location. Recently we were notified that a phishing domain is associated with one of our IPs. When tracing the IP, the tracert hops along 20-60 client machines before hitting the trace target.

If I block SMTP traffic(port 25) at the router, will people using outlook not be able to send emails? Or would this only stop the type of traffic I'm trying to stop(spambots hosted on our network)?


Solution 1:

Blocking outbound connections to destination TCP port 25 is something that a lot of ISPs do today. While I don't particularly like it, it's a pretty typical thing that gets done.

So long as you publish to your users that you're making this change, and perhaps take some packet captures to pre-emptively see who might be effected by the change, I think it's reasonable. I'd give users who have a legitimate need a way to opt-out, as well.

Outlook shouldn't be your concern. Rather, you should be thinking about SMTP flow in general.

In the "old days" individual users often ran an email client configured to send email to a remote server on TCP port 25. Increasingly, with ISPs blocking outbound TCP port 25, many corporate email servers have moved to using TCP port 587 (the SMTP "submission" port). Arguably, using port 587 is the right configuration anyway, but you may have some Customers who are using servers that have lagged behind current trends.

Outlook, when deployed for corporate users, typically doesn't use SMTP / IMAP / POP, etc. Rather, you'll see Outlook talking to an Exchange Server computer over HTTPS (which is used to encapsulate Microsoft's proprietary RPC, MAPI, and ActiveSync protocols) or a VPN. Likewise, most mobile phone clients that are talking to a Microsoft Exchange Server computer will also be using HTTPS encapsulating the ActiveSync protocol.

Solution 2:

While most users should use ports 465 or 587 to drop mails with their providers, you can't be sure of this and there might be many users still use port 25 (e.g. with STARTTLS or even unencrypted).

Related

Nginx & uWSGI: ImportError: No module named site
Does using the same drive letter for DFS replication on Windows Server 2012 R2 cause any known issues?
Is there a way to rate limit connections with HAProxy using multiple thresholds
Do RHEL 7 manuals apply to CentOS 7?
Unrecognized SSH access on server?
Can a single Nginx site have its own http block
Purposefully break trust relationship with Windows Domain
Cloudflare + AWS route 53 combined to handle records
"live" mirror of HA VM cluster?
Carrier Grade NAT concepts: IP bans
How can I add a default gateway with the ip command, not the route command?
CAA and CNAME together