So for fun at random I do port-scans to monitor my server etc and on my email server The only process I run is email itself with 993 and 25 open and as well the only 2 ports in my ASA but when I run a scan it shows 80 and 443 open. As I said and verified the only 2 ports in the ASA are for 25 and 993 so I am unsure as to why. I can paste my config file later but for now maybe there is something common about this that I am missing.
what is the IP you used for port-scanning? outside interface of ASA? is the mail server has static NAT 1 to 1 configure?
give us more information about the setup to understand.
Also, suggest you do the same scan from the internal network to mail server the same way you did from outside and compare the results.
I am not clear whether the reported open ports are on the ASA or on the server. Perhaps the original poster can clarify? If on the ASA perhaps it is because those ports might be open to provide management access to the ASA.
I apologize for the delay I had not received an email notification saying I had responses.
So I will show a picture of my server topology. I am running a Portscan from the outside (completely different network from be it my cell phone or at work) and scanning a static IP with a 1/1 NAT through my 5508-X which connects to my Email server which would be GE/03 with an Interface IP of 192.168.3.180 and the Server has the actual real static IP x.x.x.180 using 192.168.3.180 as the gateway.
My Portscan from here at work right now shows 25, 80, 443 and 993 open but I can guarantee only 25 and 993 are open for in/out Email access. I am scanning the internal static ip, not the Gateway static IP of the router.
When I get home if still needed I will gladly paste what my ASA says but I am also the one who configured it and never would I have had reason to open those 2 other ports.
As per your description, it should not show other than the port you allowed in ACL for Static NAT translation. ( Do you have ACL also after NAT - which is allowed only required ports ?)
As I have suggested, have you scanned internally against the server to confirm it only responding to the port you intended to respond?
honestly, we do scan for audit purpose, never come across this issue.