This page is part of the EmailServer article.
Email services by definition need to be able to connect to the outside world. Unless you are content being able o exchange emails in you own little private LAN, it's likely that -in the minimum configuration- at least your SMTP
server will be able to access the outside world to send emails.
A more realistic configuration -as the one we've been building here- would allow access to roaming users getting their emails from outside the private LAN and would allow messages to delivered to our SMTP
server, postfix
.
The following TCP
ports are those used by mail services:
Now, depending on how your users are supposed to access their email, you will need to open the necessary incoming POP, IMAP and HTTP ports and/or their secured variants on your Internet-facing connection.
In any case, you will need to open port 25 so other servers can communicate with yours and deliver their messages. If you want roaming users to be able to deliver their messages securely through your server, port 465 must also be opened.
In a next chapter, we will see that it is fairly easy to secure your email channels using SSL and circumvent any port blocking that often ISP put in place.
Don't forget to disable the default firewall! |
To avoid conflicts with your existing firewall, make sure that you disable the one provided by default with your distribution! |
Having a proper firewall on your server is a must. Instead of relying on the default firewall configuration, I always opt to use the strong firewall rules scripts that allow better security and monitoring of the connections.
These rules scripts are available in the IP-Masquerade-HOWTO available from The Linux Documentation Project site.
In my firewall script, I use the following rules in the OUTPUT
section of the script:
If you are not using the same firewall script, replace the following variables:
$IPTABLES
by /sbin/iptables
$EXTIF
by your Internet-facing interface (eth0
for instance)
$EXTIP
by your Internet IP address.
$UNIVERSE
by 0.0.0.0
To ensure that the script is invoked at startup and whenever my internet connection drops, I saved the script as /etc/rc.d/rc.firewall
and added that path to my /etc/rc.d/rc.local
startup file and my /etc/ppp/ip-up.local
file which is executed whenever the PPP connection restarts.
Make sure the script is executable and modifiable only to root
and restart it:
That's all you should need to make your email services accessible from the outside world without compromising your whole machine.
Remember that you don;t have to poke all these holes in your firewall; only open the ports for the services you really need.
< RoundCube| EmailServer | SecureAccess >