• Site.GlossyHue-SiteNav
• Page 1?
• Page 2?

This page is part of the EmailServer article.

Firewall considerations

Email services by definition need to be able to connect to the outside world. Unless you are content being able o exchange emails in you own little private LAN, it's likely that -in the minimum configuration- at least your SMTP server will be able to access the outside world to send emails.
A more realistic configuration -as the one we've been building here- would allow access to roaming users getting their emails from outside the private LAN and would allow messages to delivered to our SMTP server, postfix.

The following TCP ports are those used by mail services:

• SMTP: 25 (Plain text transfers)
• IMAP: 143 (plain text transfers)
• POP3: 110 (plain text transfers)
• SMTPS: 465 (Secure, SMTP over SSL)
• IMAPS: 993 (Secure, IMAP over SSL)
• POP3S: 995 (Secure, POP over SSL)
• HTTP: 80 (For for webmail, plain text transfer)
• HTTPS: 443 (For for webmail, Secure HTTP over SSL)

Now, depending on how your users are supposed to access their email, you will need to open the necessary incoming POP, IMAP and HTTP ports and/or their secured variants on your Internet-facing connection.
In any case, you will need to open port 25 so other servers can communicate with yours and deliver their messages. If you want roaming users to be able to deliver their messages securely through your server, port 465 must also be opened.

In a next chapter, we will see that it is fairly easy to secure your email channels using SSL and circumvent any port blocking that often ISP put in place.

Firewall implementation

Having a proper firewall on your server is a must. Instead of relying on the default firewall configuration, I always opt to use the strong firewall rules scripts that allow better security and monitoring of the connections.

These rules scripts are available in the IP-Masquerade-HOWTO available from The Linux Documentation Project site.

Specific rules

In my firewall script, I use the following rules in the OUTPUT section of the script:

If you are not using the same firewall script, replace the following variables:

• $IPTABLES by /sbin/iptables
• $EXTIF by your Internet-facing interface (eth0 for instance)
• $EXTIP by your Internet IP address.
• $UNIVERSE by 0.0.0.0

To ensure that the script is invoked at startup and whenever my internet connection drops, I saved the script as /etc/rc.d/rc.firewall and added that path to my /etc/rc.d/rc.local startup file and my /etc/ppp/ip-up.local file which is executed whenever the PPP connection restarts.

Make sure the script is executable and modifiable only to root and restart it:

That's all you should need to make your email services accessible from the outside world without compromising your whole machine.
Remember that you don;t have to poke all these holes in your firewall; only open the ports for the services you really need.

Resources

• Stronger firewall rulesets
• http://www.iptables.org/

< RoundCube| EmailServer | SecureAccess >