Is it ok to open outbound port 25 to all IPs?

Portal Home > Knowledgebase > Articles Database > Is it ok to open outbound port 25 to all IPs?

Posted by sshanky, 05-08-2015, 08:08 PM
I have 7 VMs running on multiple machines located in a colo in NJ. We have an SMTP server account with Sendgrid. We had one hole in the firewall for port 25 to one of Sendgrid's IPs, and recently that IP stopped working. Sendgrid says we should be using smtp.sendgrid.net and not an IP, but the network guy at the hosting co. says he can't open firewall ports that way and that we need to use IPs. I finally got Sendgrid to give me a few IPs, and asked the hosting co to open port 25 outbound to those IPs from 4 of our 7 servers. But my developer says, why not just open 25 outbound to any IP? Is that a security risk? Am I thinking about this the wrong way? Thanks
Posted by itnycsilicon, 05-08-2015, 08:13 PM
Yes it is a security risk. Only open port 25 to the sendgrid IP addresses...
Posted by sshanky, 05-08-2015, 08:16 PM
Sendgrid didn't like that idea, though, and they also tell me that those IPs can change without notice. If that happens, I would have to somehow know, then change my setup to send using one of the other IPs. Is it odd to not be able to have a single IP to use? Or is that typical? What is the risk?
Posted by iserversupport, 05-09-2015, 03:09 AM
I don't think it is a security issue, most of the servers have port 25 open
Posted by plumsauce, 05-09-2015, 03:34 AM
Your host is being extraordinarily restrictive. If you want to stay there, you can request that the firewall be configured such that outbound connections from your addresses be allowed to any ip on port 25. This still lets them choke other clients, but not you. If they still won't do it, then either the network guy does not know what he is doing, or your host does not trust you. Alternatively, ask sendgrid for their ip ranges and have them all opened by your host. ++
Posted by Srv24x7, 05-09-2015, 11:00 AM
Hi, I think you should then think of getting some shell script in place that will keep checking the IP of smtp.sendgrid.net and make appropriate changes in the firewall.
Posted by SneakySysadmin, 05-11-2015, 09:41 AM
Uh, no. The host is doing what they've been asked to do. The OP is the one requesting their own VPS' be firewalled from sending to any host but Sendgrid. Get all the IPs for Sendgrid and allow them in the firewall. Problem solved.