Is postfix the only program that should be using port 25

Question

My server IP was blacklisted for sending out spam and I am tracking down the program sending spam.

I did netstat, and it shows a lot of programs using port 25

e.g

tcp        0    182 10.205.3.7:38995        xxx.55.92.168:25         ESTABLISHED 31909/smtp      
tcp        0      0 127.0.0.1:443           127.0.0.1:52160         TIME_WAIT   -               
tcp        0      0 10.205.3.7:53001        xxx.186.99.50:25        TIME_WAIT   -               
tcp        0      0 127.0.0.1:52171         127.0.0.1:443           TIME_WAIT   -               
tcp        0      0 127.0.0.1:443           127.0.0.1:52254         TIME_WAIT   -               
tcp        0      0 127.0.0.1:52251         127.0.0.1:443           TIME_WAIT   -               
tcp        0      0 127.0.0.1:443           127.0.0.1:52049         TIME_WAIT   -               
tcp        0      0 127.0.0.1:52091         127.0.0.1:443           TIME_WAIT   -               
tcp        0      0 10.205.3.7:59762        xxx.17.41.47:25         ESTABLISHED 2147/smtp       
tcp        0      1 10.205.3.7:50400        xxx.88.180.116:25       SYN_SENT    2151/smtp       
tcp        0      0 127.0.0.1:52083         127.0.0.1:443           TIME_WAIT   -               
tcp        0      0 10.205.3.7:55824        xxx.127.217.16:25       TIME_WAIT   -               
tcp        0      0 10.205.3.7:35888        xxx.27.42.58:25         ESTABLISHED 1913/smtp       
tcp        0      0 127.0.0.1:443           127.0.0.1:52242         TIME_WAIT   -               
tcp        0      0 10.205.3.7:80           xxx.76.138.169:25703    TIME_WAIT   -               
tcp        0      0 10.205.3.7:51114        xxx.54.188.110:25        ESTABLISHED 31424/smtp      
tcp        0      0 127.0.0.1:443           127.0.0.1:52059         TIME_WAIT   -               
tcp        0    149 10.205.3.7:34686        xxx.125.136.27:25        ESTABLISHED 703/smtp        
tcp        0      0 10.205.3.7:34669        xxx.125.136.27:25        ESTABLISHED 32586/smtp      
tcp        0      0 127.0.0.1:443           127.0.0.1:52238         TIME_WAIT   -               
tcp        0      0 127.0.0.1:443           127.0.0.1:52150         TIME_WAIT   -               
tcp        0      0 127.0.0.1:52038         127.0.0.1:443           TIME_WAIT   -               
tcp        0      0 10.205.3.7:37635        xxx.115.11.16:25        ESTABLISHED 31093/smtp      
tcp        0      0 10.205.3.7:59959       xx.127.217.21:25       ESTABLISHED 690/smtp

Is postfix the only program that should be using port 25, or is the word smtp an alias for all the processes of postfix?

------ EDIT ----

Thank you all for your help, just to clarify:

I'm not running an open relay, I checked.
From the netstat output it was not really clear which process belongs to postfix.

What was the reason for the blacklist - was it for sending spam - being an open relay - etc? There are many many reasons you can get blacklisted, some of them require nothing more than for you to send an appeal - so we need a bit more info. — IceMage, Aug 25 '15 at 15:44
Which blacklist(s) - and the reason codes are generally pretty specific. If it's on spamhaus - telling us which blacklist exactly can really help — IceMage, Aug 25 '15 at 15:48
http://cbl.abuseat.org/ is where i was listed, i found a script sending spam by using the php mail() function which i have disabled, now I'm tying up loose ends and want to know if there is any other way for spam to be sent out of the server — Mr Mixin, Aug 25 '15 at 15:51

IceMage · Accepted Answer · 2015-08-25T15:59:08.847

Anything using port 25 should be a verified SMTP program that you both know about - and have authorized. In your case, that is ONLY postfix. You should know that having an open relay can also cause you to send spam unwittingly.

Check this out to determine which programs are using which ports: http://www.cyberciti.biz/faq/what-process-has-open-linux-port/ - and then check this out to make sure postfix is not configured as an open relay - http://www.postfix.org/SMTPD_ACCESS_README.html

When you have resolved those issues you should be good to go. If you are behind a NAT firewall (computers inside your network share your public IP), you should block outbound port 25 for any computer that is not authorized to send mail, as your IP will be blocked again by the CBL.

score 3 · Answer 2 · answered Aug 25 '15 at 16:45

You need to distinguish between local and remote ports, and between incoming and outgoing connections.

Only one process can listen on local port 25 at a time, and hence only one program can accept incoming SMTP connections. If you try to start another one it will abort with a "port already in use" error. (I'm neglecting the possible exception of different programs listening on the same port with different local addresses here as it is irrelevant for my argument.)

Any number of programs can open outgoing connections to port 25 on the same or different remote server(s). There are legitimate uses for this.

netstat shows PIDs and process names for open connections (and, if you use the -a option, for listening ports.) Process names are unreliable because processes can set their own name to an arbitrary string. So in order to identify a process you should only rely on the PID, and use the ps command to retrieve additional information about the process.

alexus · Answer 3 · 2015-08-25T15:52:18.573

1

the answer for your question is yes only postfix or similar mail transfer agent MTA, should listen on port 25 which is dedicated port for incoming mail.

Whenever your server being used to send out spam, it's not using your incoming port, it makes an outgoing connections.

edited Aug 25 '15 at 15:52

answered Aug 25 '15 at 15:44

alexus

13,112
32
117
174

Is postfix the only program that should be using port 25

3 Answers3