This page is part of the EmailServer article. Firewall considerationsEmail services by definition need to be able to connect to the outside world. Unless you are content being able o exchange emails in you own little private LAN, it's likely that -in the minimum configuration- at least your The following
Now, depending on how your users are supposed to access their email, you will need to open the necessary incoming POP, IMAP and HTTP ports and/or their secured variants on your Internet-facing connection. In a next chapter, we will see that it is fairly easy to secure your email channels using SSL and circumvent any port blocking that often ISP put in place. Firewall implementation
Having a proper firewall on your server is a must. Instead of relying on the default firewall configuration, I always opt to use the strong firewall rules scripts that allow better security and monitoring of the connections. These rules scripts are available in the IP-Masquerade-HOWTO available from The Linux Documentation Project site. Specific rulesIn my firewall script, I use the following rules in the echo -e " - Allowing access to standard Email ports" $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ -p tcp -s $UNIVERSE -d $EXTIP --dport 25 -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ -p tcp -s $UNIVERSE -d $EXTIP --dport 110 -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ -p tcp -s $UNIVERSE -d $EXTIP --dport 143 -j ACCEPT echo -e " - Allowing access to Secured Email ports" $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ -p tcp -s $UNIVERSE -d $EXTIP --dport 465 -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ -p tcp -s $UNIVERSE -d $EXTIP --dport 995 -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ -p tcp -s $UNIVERSE -d $EXTIP --dport 993 -j ACCEPT echo -e " - Allowing access to Web ports" $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ -p tcp -s $UNIVERSE -d $EXTIP --dport 443 -j ACCEPT If you are not using the same firewall script, replace the following variables:
To ensure that the script is invoked at startup and whenever my internet connection drops, I saved the script as Make sure the script is executable and modifiable only to # cd /etc/rc.d # chmod 744 rc.firewall # chown root.root rc.firewall # ./rc.firewall That's all you should need to make your email services accessible from the outside world without compromising your whole machine. Resources< RoundCube| EmailServer | SecureAccess > Leave your comments below |