Debian – Why is exim4 listening on port 25

Actually only versions present up to Debian 9 or RHEL 7 have this problem, not Debian 10 or RHEL 8. The feature causing the random privileged UDP port binding has been disabled in rpcbind 1.2.5, the release coming after 0.2.3 and 0.2.4.

From Debian 10.1+'s /usr/share/doc/rpcbind/README.Debian:

Since version 1.2.5 due to security concerns upstream has turned off the remote calls functionality by default and added a configuration flag at build time to enable it.

This functionality caused rpcbind to open up random listening ports. With remote calls turned off rpcbind stops to receive any broadcast query causing breakage on systems depending on this feature, e.g., NIS systems.

On Debian systems the remote calls can be turned on at run-time using the command line argument 'r'. See rpcbind(8) for more details.

I could verify on Debian 9 that (forcefully) upgrading rpcbind to Debian 10's version is enough to lose the additional privileged bound port. Using the new Debian-specific -r option provided by a Debian patch (which mostly recompiles with --enable-rmtcalls and adds a runtime option) "restores" the feature, except it appears the bound UDP port is not privileged anymore.

Usage of this remote call feature is with rpcinfo -b (or Kodi) to send broadcast queries to all LAN's portmappers. Eg to discover RPC prognum 100005 version 3 (for NFSv3's mountd):

rpcinfo -b 100005 3

This will send a broadcast to port 111/UDP and the replying portmappers will use the additionally bound UDP port as source (in a typical firewall-unfriendly method similar to TFTP). Without this port, they won't answer, but can still answer direct unicast queries directly from port 111/UDP as usual.