Ports

Port 25: SMTP relay

Server to server email transfer. Not meant for end user clients.

Where you will see it: You will see this in scans, firewall rules, vulnerability reports, and service configs. Treat open ports as exposure points and verify the service is expected, hardened, and restricted.

What it is

TCP port 25 is used for SMTP, the protocol that moves email between mail servers. A port is a transport layer number used together with an IP address and a protocol such as TCP or UDP to direct traffic to the correct service on a host.

A server process binds a socket to a port and listens, while a client typically chooses an ephemeral source port for outbound connections. The combination of source and destination IP addresses, source and destination ports, and the transport protocol uniquely identifies a flow so the operating system can keep many conversations separate.

Firewalls, NAT, and scanners talk about ports because the destination port is the stable rendezvous point that exposes a service to the network. A sending server opens a TCP connection from an ephemeral source port to a receiving server on destination port 25, completes the handshake, and then exchanges SMTP commands to transfer a message to the next hop.

Port 25 is primarily for server to server relay on the open internet. End user clients and applications usually should not send mail directly to random servers on 25, which is why message submission is typically done on port 587 or 465 with authentication.

Because abuse is common, many networks restrict outbound 25, and misconfigured servers that accept unauthenticated relay on 25 quickly get used for spam. When you see 25 exposed, the key question is whether it is intentionally a mail exchanger and whether it is hardened, patched, and configured to refuse open relay.

How it works in broad strokes

  1. A client mail server opens a TCP connection and speaks SMTP commands to deliver a message.
  2. The server applies policy, spam checks, and routing decisions, then accepts and queues the message.
  3. The receiving server may forward the message internally or relay it onward to the next hop.

Concrete example

Your company mail gateway receives mail from the internet on 25. Another MTA connects, negotiates STARTTLS, and transfers a message which is then scanned and delivered to internal mailboxes.

Why it matters

If port 25 is open inbound, your host may be acting as a mail exchanger or a relay. Misconfiguration can turn it into an open relay, which is a fast path to blacklisting. In incident response, unexpected SMTP on 25 is also a common sign of malware trying to exfiltrate data by email.

Security angle

  • Use port 587 for authenticated submission and keep 25 for server to server only.
  • Require STARTTLS where appropriate and monitor for anomalous volumes.
  • Restrict relaying to trusted senders and harden your MTA configuration.

Common pitfalls

  • Running an open relay or weak anti spam controls.
  • Letting applications send email directly on 25 instead of using submission on 587.
  • Assuming encryption is automatic. SMTP commonly starts in cleartext unless STARTTLS is negotiated and enforced.