How to disable unencrypted comunication on port 25
Posted: Sat Sep 06, 2025 7:29 am
To disable unencrypted communication on port 25, you must configure your mail server to either refuse unencrypted connections or enforce the use of STARTTLS. The specific method depends on whether you are managing a client (sending mail) or a server (receiving mail) and what software you use.
For mail server administrators (Postfix, Exim) Port 25 is primarily used for server-to-server (MTA to MTA) communication. The most effective security is to require TLS encryption for all connections.
Enforce STARTTLS on Postfix
To prevent unauthenticated or unencrypted connections on port 25, you can configure your server to deny plaintext authentication requests and only offer the AUTH option after a secure TLS connection is established.
The approach for Exim is similar, using the auth_advertise_hosts and server_advertise_condition parameters to control when authentication is offered.
you can add loopbacks if you need:
If you are a regular user or network admin, you can prevent unencrypted connections by blocking outgoing port 25 on your local network. Most modern email clients and providers use port 587 (with STARTTLS) or 465 (with implicit TLS) for secure email submission.
The server_advertise_condition and auth_advertise_hosts directives in Exim both control the advertisement of the AUTH command, but they operate at different levels.
auth_advertise_hosts: This is a global setting that defines the list of client hosts to which any authentication mechanism will be advertised.Above example code ensures that the AUTH command is not offered at all to hosts that haven't yet established a secure TLS connection. This is a good, general-purpose approach for securing all authenticators.
server_advertise_condition: This is a per-authenticator option that controls the advertisement of an individual authentication mechanism. It provides more granular control than auth_advertise_hosts. For instance, you could configure a specific authenticator (like the plaintext one) to be advertised only on port 587 and only after a TLS connection is active, while leaving other authenticators to be advertised differently.
By using auth_advertise_hosts globally, you can simplify your configuration and ensure that all authentication is restricted to secure connections. Using server_advertise_condition is for more advanced, fine-tuned control over specific authentication methods.
Block traffic with a firewall
Configure your firewall to block outbound traffic on port 25 for all devices except your mail server. This prevents malware on infected computers from using port 25 to send spam.
Ensure your email client (e.g., Outlook, Thunderbird) is configured to use the secure submission ports, typically 587 or 465, with STARTTLS or SSL/TLS encryption enabled. Do not use port 25 for sending mail unless you specifically manage the mail server.
Use an email relay service
For application-specific email sending, use a dedicated email relay provider that handles outbound mail securely. They will typically require authentication and TLS on ports like 587, and this completely bypasses the need for your local network to handle port 25 traffic.
LinkZero Automation tool
login to shell as root and run directly from repository using fallowing command:
For mail server administrators (Postfix, Exim) Port 25 is primarily used for server-to-server (MTA to MTA) communication. The most effective security is to require TLS encryption for all connections.
Enforce STARTTLS on Postfix
To prevent unauthenticated or unencrypted connections on port 25, you can configure your server to deny plaintext authentication requests and only offer the AUTH option after a secure TLS connection is established.
- Edit your master.cf file, typically located at /etc/postfix/master.cf.
- Find the smtp service line and add the following options to require TLS before authentication:
Code: Select all
smtp inet n - - - - smtpd
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes- Restart Postfix for the changes to take effect.
The approach for Exim is similar, using the auth_advertise_hosts and server_advertise_condition parameters to control when authentication is offered.
- Edit your Exim configuration file, usually /etc/exim/exim.conf.
In the authenticators section, add a condition that prevents advertising AUTH to unencrypted connections:
Code: Select all
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}Code: Select all
auth_advertise_hosts = localhost : 127.0.0.1 : ::1 : ${if eq{$tls_cipher}{}{}{*}}- Restart Exim to apply the new configuration.
If you are a regular user or network admin, you can prevent unencrypted connections by blocking outgoing port 25 on your local network. Most modern email clients and providers use port 587 (with STARTTLS) or 465 (with implicit TLS) for secure email submission.
The server_advertise_condition and auth_advertise_hosts directives in Exim both control the advertisement of the AUTH command, but they operate at different levels.
auth_advertise_hosts: This is a global setting that defines the list of client hosts to which any authentication mechanism will be advertised.Above example code ensures that the AUTH command is not offered at all to hosts that haven't yet established a secure TLS connection. This is a good, general-purpose approach for securing all authenticators.
server_advertise_condition: This is a per-authenticator option that controls the advertisement of an individual authentication mechanism. It provides more granular control than auth_advertise_hosts. For instance, you could configure a specific authenticator (like the plaintext one) to be advertised only on port 587 and only after a TLS connection is active, while leaving other authenticators to be advertised differently.
By using auth_advertise_hosts globally, you can simplify your configuration and ensure that all authentication is restricted to secure connections. Using server_advertise_condition is for more advanced, fine-tuned control over specific authentication methods.
Block traffic with a firewall
Configure your firewall to block outbound traffic on port 25 for all devices except your mail server. This prevents malware on infected computers from using port 25 to send spam.
- On Linux (with iptables):
On a hardware firewall/router: Log in to your router's administration panel and find the firewall settings. Create a new rule to deny all outbound TCP connections on port 25, with an exception for your mail server's internal IP address.
Code: Select all
bash # Deny outbound port 25 traffic for all except the mail server iptables -A FORWARD -p tcp --dport 25 -s !<mail_server_ip> -j REJECT Use code with caution.
Ensure your email client (e.g., Outlook, Thunderbird) is configured to use the secure submission ports, typically 587 or 465, with STARTTLS or SSL/TLS encryption enabled. Do not use port 25 for sending mail unless you specifically manage the mail server.
Use an email relay service
For application-specific email sending, use a dedicated email relay provider that handles outbound mail securely. They will typically require authentication and TLS on ports like 587, and this completely bypasses the need for your local network to handle port 25 traffic.
LinkZero Automation tool
login to shell as root and run directly from repository using fallowing command:
Code: Select all
curl -sSL https://raw.githubusercontent.com/danpolltd/LinkZero/main/script/install.sh | sudo bash