Port reference
Port 25 (TCP) – SMTP
Server-to-server email transfer protocol used to relay and deliver mail between MTAs.
Quick facts
- Transport
- tcp
- Category
- Well-known
- TLS
- Cleartext
- Risk level
- High
Frequently targeted — restrict exposure and harden it.
Use a secure alternative
This is a legacy or cleartext protocol. Prefer the encrypted equivalent:
Default state
Open on mail servers (MTAs) accepting inbound mail; usually exposed to the internet for delivery.
Common attacks
- Open relay abuse for spam and phishing
- Sender spoofing where SPF/DKIM/DMARC are missing
- User/address enumeration via VRFY, EXPN, and RCPT probing
- STARTTLS stripping and downgrade to cleartext
Hardening
- Never run an open relay; require authentication for client mail submission
- Use port 587 (submission) with STARTTLS for authenticated clients
- Publish and enforce SPF, DKIM, and DMARC; enable MTA-STS
- Disable VRFY/EXPN and rate-limit connections
nmap snippet
nmap -p25 --script smtp-commands,smtp-open-relay,smtp-enum-users,banner <target>Replace <target> with the host or range you're authorized to scan.
How to check if this port is open
ss -tulpn | grep :25
nmap -p 25 <target>netstat -ano | findstr :25
Test-NetConnection <host> -Port 25lsof -i :25
nmap -p 25 <target>How to block this port
sudo ufw deny 25/tcpsudo firewall-cmd --permanent --remove-port=25/tcp
sudo firewall-cmd --reloadsudo iptables -A INPUT -p tcp --dport 25 -j DROPNew-NetFirewallRule -DisplayName "Block 25" -Direction Inbound -Protocol TCP -LocalPort 25 -Action BlockWhat runs on port 25?
Port 25 is the default port for SMTP (Simple Mail Transfer Protocol), the protocol mail servers use to relay and deliver email between each other. When one Mail Transfer Agent (MTA) hands a message to the next on its way to the recipient, that conversation happens on port 25. Authenticated client submission (your mail app sending outbound mail) belongs on port 587 or 465, not 25.
Why it matters for security
SMTP was designed in an era of implicit trust. Without strict configuration a server can act as an open relay, accepting and forwarding mail from anyone and becoming a spam and phishing engine. The protocol also makes sender spoofing trivial unless SPF, DKIM, and DMARC are published and enforced. STARTTLS on port 25 is opportunistic, so an active attacker may strip it and force the session back to cleartext.
How it's attacked
Spammers probe servers for open relay behavior to launder bulk mail. Attackers spoof sender addresses against domains lacking SPF/DKIM/DMARC to power phishing. Reconnaissance uses VRFY, EXPN, and RCPT TO probing to enumerate valid mailboxes, and STARTTLS stripping downgrades connections so credentials and content can be read in transit. Vulnerable MTAs are also targeted directly for remote code execution.
Hardening checklist
Never run an open relay: accept inbound mail only for your domains and require authentication for any client submission, which should use port 587 with STARTTLS (or 465). Publish and enforce SPF, DKIM, and DMARC, and enable MTA-STS so delivery can't be silently downgraded. Disable VRFY/EXPN, rate-limit connections, and keep the MTA patched. The nmap snippet above lists supported commands and tests for open-relay and user-enumeration weaknesses on systems you are authorized to test.
Related ports
Frequently asked questions
- What is the difference between port 25 and 587?
- Port 25 is for server-to-server mail relay (MTA to MTA). Port 587 is the authenticated submission port used by mail clients to send outgoing mail, and should require login and STARTTLS.
- Why is port 25 often blocked?
- Many ISPs and cloud providers block outbound port 25 to curb spam from compromised hosts and open relays. Legitimate clients should submit mail on port 587 instead.