General discussion

Locked

Open Ports on Exchange Server

By jlbpotter ·
I have Exchange 5.5 running on NT4 SP6 server. I am not very familiar with TCP ports so I would be glad to get some assistance on this. I am using a program called Active Ports that views all open ports on the server and what they are connecting to. I am getting a lot of them that using the msexcimc.exe which is part of Exchange. A lot of these though are connecting to public IPs that I am not associated with. The program shows that they are using either TCP or UDP and connecting to varying local ports but the remote port is usually port 25 which I know is SMTP. The state of these connections are constantly changing. I get the following connection states: "Established, Listen, Syn_Sync, etc." I can do an nslookup on these IPs but it doesn't tell me much. A couple of the IPs that are connecting are 207.69.200.82, 207.69.200.66, 199.105.206.55. If anybody could give me some pointers on figuring this out I would appreciate it.

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by Curacao_Dejavu In reply to Open Ports on Exchange Se ...

The first step is , if possible, to put the exchange behind a firewall (, proxy-server,isaserver, or a hardware based firewall)
Second keep up to dated with the paches of nt and exchange.
Make sure that nobody can use your server as a relay station.
(go into the internet mail connector, routing, and add only the ranges that may relay, if any)

this can help a little.
http://support.microsoft.com/default.aspx?scid=kb;en-us;148732

and
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/exchange/exchange55/support/exchsec.asp

etsablish means a actuall connection.
listen means well listening/waiting

people are trying to connect the the server.
it doesn't nessary means they actually connect if the server is secure.
with respect to the ip adress it's better to do a traceroute to see who they are and where they come from (in combination with netsol could give you a idea from which domain they are coming from.)
If you suspect they are using your server to relay (check the routing again) and active the logg files and go through them.
www.dsbl.org can check if your email server us relaying messages.

and one of the best places (except ms) where you can find inofrmation regarding exchnage is at:
http://www.msexchange.org/faq/


Leopold

Collapse -

by Curacao_Dejavu In reply to

I found 2 more links regardingsecurity on a exchange server:
http://www.eventlogscan.com/
http://www.emailsecuritytest.com/

Leopold

Collapse -

by jlbpotter In reply to

Poster rated this answer.

Collapse -

by CG IT In reply to Open Ports on Exchange Se ...

Exchange SMTP is on Port 25 inbound and outbound. the different states of the port status is based on how you have Exchange setup to delivery and receive mail. Immediate delivery and receive will show port 25 very active. If you want to know "WhoIs" 207.69.200.82 just to a WhoIs lookup. 207.69.200.82 is Earthlink / Mindspring.

Collapse -

by CG IT In reply to

http://name.space.xs2.net/cgi-bin/whois.pl that is a link for a WhoIs lookup. just type in the IP address and it will tell you WhoIs.

Collapse -

by jlbpotter In reply to Open Ports on Exchange Se ...

This question was closed by the author

Back to Windows Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums