Enjoy the Holiday season!

Welcome to the Slackware Documentation Project

This is an old revision of the document!


Firewall Rules For Virtual Mail Server

A firewall is simply a set of kernel routing rules, iptables rules, that selectively block or allow network traffic into and out of your machine.

If you already have a firewall in place then you will need to add to it the rules necessary to support mail server traffic.

Following is a minimal set of iptables rules to provide a firewall for your email server.

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -j ACCEPT

# Postfix SMTP, SMTPS, SUBMISSION
-A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 465 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT

# Imap and ImapS
-A INPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 993 -m state --state NEW -j ACCEPT

# Pop3 and Pop3S
-A INPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 995 -m state --state NEW -j ACCEPT

#  Drop all other inbound
-A INPUT -j DROP

Port 25, SMTP, must be enabled in order to accept incoming email for delivery to your virtual mail boxes.

Port 465, SMTPS, must be enabled for secure SMTP connections.

Port 587, SUBMISSION, is used by Mail User Agents (MUAs) such as Thunderbird to allow submission of outgoing email from your virtual users.

Ports 143 and 110 provide plain text Imap and POP3 connections, rescpectively. It is probably best not to use these and to force all Imap and Pop3 connections to be secure, as we will do in this article. If not used it is best to remove them from your iptables rules.

Ports 993 and 995 provide secure Imap and Pop3, respectively. These must be open in order for your virtual users to be able to send and receive email.

You may enable these rules by saving them to a text file (ex: /etc/firewall.rules), then loading that file using iptables-restore.

iptables-restore </etc/firewall.rules

You may see all currently active rules like this…

iptables -L

You may flush all current rules like this…

iptables -F

To load your firewall rules at each boot, add the following to /etc/rc.d/rc.local:

vi /etc/rc.d/rc.local
... add the following lines ...
if [ -x /etc/firewall.rules ]; then
        iptables-restore </etc/firewall.rules
fi

And make sure rc.local and the firewall rules files are executable…

chmod +x /etc/rc.d/rc.local
chmod +x /etc/firewall.rules

Load your firewall rules and make sure they are as you expect them to be before continuing.

iptables-restore &lt;/etc/firewall.rules
iptables -L

Return to main article page


In Other Languages
Translations of this page?:
QR Code
QR Code howtos:network_services:postfix_dovecot_mysql:email_firewall (generated for current page)