[2024-feb-29] Sad news: Eric Layton aka Nocturnal Slacker aka vtel57 passed away on Feb 26th, shortly after hospitalization. He was one of our Wiki's most prominent admins. He will be missed.
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
howtos:network_services:postfix_dovecot_mysql:email_firewall [2015/02/15 19:04 (UTC)] – astrogeek | howtos:network_services:postfix_dovecot_mysql:email_firewall [2018/02/06 01:17 (UTC)] (current) – [Firewall Rules For Virtual Mail Server] astrogeek | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ==== Firewall Rules For Virtual Mail Server ==== | + | ====== Firewall Rules For Virtual Mail Server |
- | <note important> | + | This page is supplemental to main article: [[howtos: |
- | A firewall is simply a set of kernel routing rules, iptables rules, that selectively block or allow network traffic into and out of your machine. A web facing email server must be secured by a suitable set of firewall rules or it will quickly be overwhelmed and comppromised! | + | A firewall is simply a set of kernel routing rules, iptables rules, that selectively block or allow network traffic into and out of your machine. A web facing email server must be secured by a suitable set of firewall rules or it will quickly be overwhelmed and compromised! |
- | If you already have a firewall in place for other services then you will need to add to it the rules necessary to support mail server traffic. | + | If you already have a firewall in place for other services then you will need to add to it the rules necessary to support mail server traffic. |
- | <note important> | + | <note important> |
- | You should first use iptables -L to check for pre-existing rules and merge those below into your existing | + | You should first use iptables -L to check for pre-existing rules and __merge |
- | If you have no existing firewall and need to allow http and ssh, uncomment the liines for those also included here.</ | + | If you have no existing firewall and/or need to allow http and ssh, uncomment the --policy lines and those for http and ssh as necessary to meet your requirements.</ |
- | Following is a minimal set of iptables rules to provide a firewall for your email server. | + | Following is a **minimal** set of iptables rules to provide a firewall for your email server. |
< | < | ||
+ | #--policy INPUT DROP | ||
+ | #--policy FORWARD DROP | ||
+ | #--policy OUTPUT ACCEPT | ||
+ | |||
-A INPUT -m state --state INVALID -j DROP | -A INPUT -m state --state INVALID -j DROP | ||
-A INPUT -m state --state ESTABLISHED, | -A INPUT -m state --state ESTABLISHED, | ||
Line 23: | Line 27: | ||
# Imap and ImapS | # Imap and ImapS | ||
- | -A INPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT | + | #-A INPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT |
-A INPUT -p tcp --dport 993 -m state --state NEW -j ACCEPT | -A INPUT -p tcp --dport 993 -m state --state NEW -j ACCEPT | ||
# Pop3 and Pop3S | # Pop3 and Pop3S | ||
- | -A INPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT | + | #-A INPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT |
-A INPUT -p tcp --dport 995 -m state --state NEW -j ACCEPT | -A INPUT -p tcp --dport 995 -m state --state NEW -j ACCEPT | ||
Line 50: | Line 54: | ||
Port 587, SUBMISSION, is used by Mail User Agents (MUAs) such as Thunderbird to allow submission of outgoing email from your virtual users. | Port 587, SUBMISSION, is used by Mail User Agents (MUAs) such as Thunderbird to allow submission of outgoing email from your virtual users. | ||
- | Ports 143 and 110 provide plain text Imap and POP3 connections, | + | Ports 143 and 110 provide plain text Imap and POP3 connections, |
Ports 993 and 995 provide secure Imap and Pop3, respectively. These must be open in order for your virtual users to be able to send and receive email. | Ports 993 and 995 provide secure Imap and Pop3, respectively. These must be open in order for your virtual users to be able to send and receive email. | ||
- | You may enable | + | To install |
+ | There are many preferences for saving and loading firewall scripts. I generally use / | ||
< | < | ||
- | You may see all currently active rules like this... | + | |
+ | To see all currently active rules: | ||
< | < | ||
- | You may flush all current rules like this... | + | |
+ | To flush all current rules: | ||
< | < | ||
- | To load your firewall rules at each boot, add the following | + | To load your firewall rules at each boot, you will need to create a start script and save it to / |
+ | |||
+ | You may choose to create a more complete script with start and stop options, but the following simple script is sufficient to load your firewall rules at boot. | ||
< | < | ||
- | vi / | + | vi / |
- | ... add the following lines ... | + | |
- | if [ -x / | + | # add the following lines # |
+ | if [ -e / | ||
iptables-restore </ | iptables-restore </ | ||
- | fi</ | + | fi |
+ | </ | ||
- | And make sure rc.local and the firewall | + | Make sure rc.firewall |
< | < | ||
- | chmod +x / | + | chmod +x / |
- | chmod +x /etc/firewall.rules | + | |
</ | </ | ||
- | Load your firewall rules and make sure they are as you expect them to be before continuing. | + | Load your firewall rules and make sure they are as you expect them to be before continuing. |
< | < | ||
Line 86: | Line 96: | ||
[[howtos: | [[howtos: | ||
+ | ====== Sources ====== | ||
+ | * Originally written by [[wiki: | ||
{{tag> | {{tag> |