Suspected insecure email server

User567363

Mate had his emails setup by a company

He was thinking of moving to another company

I checked his mx records and it points to a single ip address, i did a port scan on this ip and was surprised to find loads of open ports

21 ftp

23 ssh

53 domain

80

Obviously

25,110,143,993,995

But there was loads more

I was imagning some old windows box that his website devoleper was using, but then i did a whois lookup and was surprised it was a proper email provider

Whois mentions a small range of ip address this provider uses and i found similar open ports on the rest of them

Should a machine used for email only have the essential ports open to the internet?

kippy

https://www.boards.ie/discussion/2058337185/suspected-insecure-email-server

Is it possible the MX record points to a firewall/loadbalancer/router or some other device that isn't itself an email server?

User567363

Ahh, that makes sense, so if one port can be used in an attack it might not be the same machine the email mailboxs are on

No way of checking that from this side, but fingers crossed your right

LambshankRedemption

Not that it matters but port 23 is Telnet not SSH.

That said, assuming it was nmap or a similar port scanner, there is no guarantee it is actually those service running on those ports. The SSH server on my gateway server runs on 22, 53, 80, 443 and 8080. The reason being, if I am on a network which blocks outbound SSH, I can usually get out on one of those other ports.