UTM-9 port 25,465,587 are opened on all public IPs, can i close some of them?

Question

i have 14 public IP, lets say 
 14.138.200.81 - 14.138.200.94 
 i enabled SMTP routing as a email gateway, and forward mails to Exchange server 
 i just want 200.81 to open 25 for receiving mail, but closed 465 and 587 
 and all others public IP are also close 25,465,587..... 
 but added a deny all to public IP with 25,465,587 not work........ 
 can anyone help? 
 i have case number 8479344, and 4 UTM-9 on hand

apijnappels · Accepted Answer

You can try to create a DNAT rule where you Blacklist all traffic arriving on ports 465 and 587 and where you do the same for port 25 for the 13 IP's that are not "in use". 
 I think that'll work as DNAT is usually one of the first mechanisms being checked on incoming traffic.

apijnappels · Answer

That's correct, but you can change the destination to an address in the 240.0.0.0/4 subnet. That's a reserved for future use subnet and will not go anywhere, see it like some sort of blackhole where you send all traffic that you don't want inside your network.

DouglasFoster · Answer

I believe that 465 and 587 are closed if you disable Authenticated Relay (Relaying tab). I see no reason to ever have it enabled since UTM is a mail transfer, not a mail server. 
 This link has an overview of UTM port usage and links to two other documents that give examples of how to use DNAT to send traffic to a dead end. 
 community.sophos.com/.../how-to-understand-utm-port-usage

BAlfson · Answer

Hi Ming and welcome to the UTM Community! 
 To understand why your firewall rule didn't work, read #2 in Rulz. . See #3 through #5 for better understanding of specific issues. Also see Doug Foster's take on some of this: READ ME FIRST: UTM Architecture . 
 I think you'll want to allow all three ports on the public IP to which your MX record points. Port 587 is ESMTP and is used not rarely. Port 465 is used by older servers to send mail and it's essentially SMTP over an SSL-encrypted tunnel. Both SMTP (25) and ESMTP can establish an encrypted tunnel after the connection is made. 
 Cheers - Bob