Search Site:

About

Linux

Printers?

Programming

Windows?

Download

Skins

Edit - To Do - AllRecentChanges

Recent Changes Printable View Page History Edit Page

This page is part of the EmailServer article.

Firewall considerations

Email services by definition need to be able to connect to the outside world. Unless you are content being able o exchange emails in you own little private LAN, it's likely that -in the minimum configuration- at least your SMTP server will be able to access the outside world to send emails.
A more realistic configuration -as the one we've been building here- would allow access to roaming users getting their emails from outside the private LAN and would allow messages to delivered to our SMTP server, postfix.

The following TCP ports are those used by mail services:

  • SMTP: 25 (Plain text transfers)
  • IMAP: 143 (plain text transfers)
  • POP3: 110 (plain text transfers)
  • SMTPS: 465 (Secure, SMTP over SSL)
  • IMAPS: 993 (Secure, IMAP over SSL)
  • POP3S: 995 (Secure, POP over SSL)
  • HTTP: 80 (For for webmail, plain text transfer)
  • HTTPS: 443 (For for webmail, Secure HTTP over SSL)

Now, depending on how your users are supposed to access their email, you will need to open the necessary incoming POP, IMAP and HTTP ports and/or their secured variants on your Internet-facing connection.
In any case, you will need to open port 25 so other servers can communicate with yours and deliver their messages. If you want roaming users to be able to deliver their messages securely through your server, port 465 must also be opened.

In a next chapter, we will see that it is fairly easy to secure your email channels using SSL and circumvent any port blocking that often ISP put in place.

Firewall implementation

Don't forget to disable the default firewall!

To avoid conflicts with your existing firewall, make sure that you disable the one provided by default with your distribution!
On a Fedora machine, inkove system-config-securitylevel if you're in the GUI or system-config-securitylevel-tui on the command line to diable it.

Having a proper firewall on your server is a must. Instead of relying on the default firewall configuration, I always opt to use the strong firewall rules scripts that allow better security and monitoring of the connections.

These rules scripts are available in the IP-Masquerade-HOWTO available from The Linux Documentation Project site.

Specific rules

In my firewall script, I use the following rules in the OUTPUT section of the script:

echo -e "      - Allowing access to standard Email ports"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
          -p tcp -s $UNIVERSE -d $EXTIP --dport 25  -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
          -p tcp -s $UNIVERSE -d $EXTIP --dport 110  -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
          -p tcp -s $UNIVERSE -d $EXTIP --dport 143  -j ACCEPT
echo -e "      - Allowing access to Secured Email ports"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
          -p tcp -s $UNIVERSE -d $EXTIP --dport 465  -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
          -p tcp -s $UNIVERSE -d $EXTIP --dport 995  -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
          -p tcp -s $UNIVERSE -d $EXTIP --dport 993  -j ACCEPT
echo -e "      - Allowing access to Web ports"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
          -p tcp -s $UNIVERSE -d $EXTIP --dport 80  -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
          -p tcp -s $UNIVERSE -d $EXTIP --dport 443  -j ACCEPT

If you are not using the same firewall script, replace the following variables:

  • $IPTABLES by /sbin/iptables
  • $EXTIF by your Internet-facing interface (eth0 for instance)
  • $EXTIP by your Internet IP address.
  • $UNIVERSE by 0.0.0.0

To ensure that the script is invoked at startup and whenever my internet connection drops, I saved the script as /etc/rc.d/rc.firewall and added that path to my /etc/rc.d/rc.local startup file and my /etc/ppp/ip-up.local file which is executed whenever the PPP connection restarts.

Make sure the script is executable and modifiable only to root and restart it:

# cd /etc/rc.d
# chmod 744 rc.firewall
# chown root.root rc.firewall
# ./rc.firewall

That's all you should need to make your email services accessible from the outside world without compromising your whole machine.
Remember that you don;t have to poke all these holes in your firewall; only open the ports for the services you really need.

Resources

< RoundCube| EmailServer | SecureAccess >

Leave your comments below
Enter your comment (no links allowed): Author:

Edit Page - Page History - Printable View - Recent Changes - WikiHelp - Search - RSS -
Page last modified on Thursday 23 April 2009, at 03:20 GMT+8 - Viewed 4129 times