topic Re: Ports Required for SMTP access from DMZ in Network Security

Ports Required for SMTP access from DMZ

admin_2 — Fri, 21 Feb 2020 07:23:37 GMT

We have a Windows 2000 Adv Server on a DMZ interface of a PIX firewall. We are using native Windows SMTP services as a Front End server for Exchange mail. Our Exchange server has a SmartHost entry that sends outbound mail to the server on the DMZ. Our MX record points to the server on the DMZ for inbound traffic.

We originally allowed DNS resolution and SMTP (Port 25) traffic to the server. We've done this numerous times from the Internal interface of the PIX. Yet, there apparently is at least one other port that needs to be opened up because the mail stays in the Queue of the SMTP server on the DMZ. We got around the problem by opening up all outbound ports from that server.

My question is: "Does anyone know what ports are required for an SMTP server to work on a PIX DMZ?"

Thanks

Re: Ports Required for SMTP access from DMZ

gfullage — Thu, 13 May 2004 22:39:40 GMT

Should just be TCP/25 and probably DNS (UDP/53). Probably the easiest way to figure out what other port it's using is to look at the active connections from this going through your PIX.

Let's say the IP address of the mail server is 10.1.1.1. Doing:

sho conn | include 10.1.1.1

will give you all the connections. This will tell you where it's connectig to and on what ports. The output will look something like:

FW1(config)# sho conn | incl 10.1.1.1

UDP out 10.2.2.1:17127 in 10.1.1.1:10655 idle 0:01:23 Bytes 1000

UDP out 10.2.2.1:18733 in 10.1.1.1:10477 idle 0:01:38 Bytes 1000

UDP out 10.3.3.2:18429 in 10.1.1.1:10789 idle 0:01:10 Bytes 1000

The numbers after the colons are the port numbers on the connection. Of course yours will show TCP and port 25 (and something else hopefully), but you get the idea.

Re: Ports Required for SMTP access from DMZ

mvoight — Mon, 17 May 2004 21:11:19 GMT

You indicated you opened DNS and SMTP to the server.

Does this mean you open up port UDP 53 to the mail server, or to the DNS server that has the MX or A records for the mail server? I am not clear on the issue. Are you saying there is a problem with mail from the DMZ server to mail servers on the internet (or outside the pix)? If so, then you need to make sure DNS outbound and SMTP outbound requests aren't blocked, and you need to make sure the DMZ server has a global/nat, nat0, (or static) mapping that lets it go to the outside

Thank you

Michael

Re: Ports Required for SMTP access from DMZ

MasonCartor — Mon, 21 Jul 2025 11:27:07 GMT

Hey @admin_2,

Normally, for basic SMTP relay you mainly need TCP port 25 open (for standard SMTP). If you're also using secure submission or different services, you might need to open:

Port 587 (for SMTP submission, often used by authenticated clients)
Port 465 (for SMTPS, though it’s less common nowadays)

Also, make sure DNS (UDP/TCP 53) is allowed so the server can resolve external domains.

In my experience, once I properly warmed up and configured everything using a tool like WarmupSMTP, mails stopped getting stuck in queue, as sender reputation and configuration got better.

Hope this helps!

Re: Ports Required for SMTP access from DMZ

Marvin Rhoads — Mon, 21 Jul 2025 12:29:42 GMT

@MasonCartor I think the original poster most likely found the answer after 21 years. 🙂