port 25 blocked for developer machines! RRS feed

  • Question

  • We are developers, work in a company.

    Development achieved in our development devices/laptops where VS installed.

    After development, test operations finished, we publish application into servers.

    Our applications need to send emails, so we do that via exchange server through port 25.

    Suddenly, during development and test stage, we noticed that we cannot send emails. We contacted exchange server administrator. He told us that he blocked port 25 for our development devices/laptops because Microsoft recommends that.

    We asked him how we can achieve development, test operations? He said that you can do that from server! Note that server is for just publishing; it does not have any IDE for developing or test!

    Is this true?

    Is this practical?

    Does Microsoft recommend this strange situation?

    • Edited by yhassany Friday, February 19, 2016 6:28 PM
    Friday, February 19, 2016 6:27 PM

All replies

  • I've never seen this in writing from Microsoft, however:

    In general, SMTP should be blocked at various firewalls to prevent a compromised workstation from spamming people (or other types of abuse). This shouldn't be blindly enforced however, especially if you have a legit use case. Practically speaking however, there could be many other factors on your network that we can't really consider in TechNet forums, such as corporate policy, or maybe the fact you're on the same subnet with untrusted workstations, etc.

    This is a conversation you need to have with your management.

    Mike Crowley | MVP
    My Blog -- Baseline Technologies

    Tuesday, March 1, 2016 9:16 PM
  • You should ask for a SMTP relay machine in the DEV network.

    Basicaly they can allow only port 25 to the IP of the relay machine from your dev machines and configure the relay machine to have authenticated relay functionality. This way there is no change of a bogus spammer in the network abusing port 25 or a mailserver. And the IT department can controle the security based on the relay machines auth mechanisms ( AD integrated, certificate , basic ( not recomended ), ip based ).

    The relay machine can be a software machine like windows or Linux or a hardware vendor like Ironpoort or something.  

    MCTS exchange 2013 | MCTS-MCITP exchange 2010 | MCTS-MCITP Exchange: 2007 | MCSA Messaging: 2003 | MCP windows 2000

    Thursday, March 3, 2016 9:35 PM
  • True, though if you're going to bother to maintain an ACL anyway, you could just do it on the firewall/router instead of deploying a new server.

    Mike Crowley | MVP
    My Blog -- Baseline Technologies

    Thursday, March 3, 2016 9:53 PM