[2024-feb-29] Sad news: Eric Layton aka Nocturnal Slacker aka vtel57 passed away on Feb 26th, shortly after hospitalization. He was one of our Wiki's most prominent admins. He will be missed.

Welcome to the Slackware Documentation Project

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

--- howtos:network_services:postfix_dovecot_mysql:email_firewall [2015/02/15 07:18 (UTC)] – created astrogeek
+++ howtos:network_services:postfix_dovecot_mysql:email_firewall [2015/02/16 09:43 (UTC)] – First complete version astrogeek
@@ Line 1: / Line 1: @@
 ==== Firewall Rules For Virtual Mail Server ====
-A firewall is simply a set of kernel routing rules, iptables rules, that selectively block or allow network traffic into and out of your machine.
+A firewall is simply a set of kernel routing rules, iptables rules, that selectively block or allow network traffic into and out of your machine. A web facing email server must be secured by a suitable set of firewall rules or it will quickly be overwhelmed and compromised!
-If you already have a firewall in place then you will need to add to it the rules necessary to support mail server traffic.
+If you already have a firewall in place for other services then you will need to add to it the rules necessary to support mail server traffic. If you do not have a firewall currently in place, then you may use the example below as a good starting point!
+<note important>Loading //only// the rules below as your firewall will close other access that may be important to you such as http and ssh!
+You should first use iptables -L to check for pre-existing rules and merge those below into your existing firewall.
+If you have no existing firewall and need to allow http and ssh, uncomment the liines for those also included here.</note>
 Following is a minimal set of iptables rules to provide a firewall for your email server.
 <code>
+-A INPUT -m state --state INVALID -j DROP
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
--A OUTPUT -j ACCEPT
 # Postfix SMTP, SMTPS, SUBMISSION
@@ Line 17: / Line 21: @@
 # Imap and ImapS
--A INPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT
+#-A INPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT
 -A INPUT -p tcp --dport 993 -m state --state NEW -j ACCEPT
 # Pop3 and Pop3S
--A INPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT
+#-A INPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT
 -A INPUT -p tcp --dport 995 -m state --state NEW -j ACCEPT
+#  Allow HTTP and HTTPS connections from anywhere on normal ports
+#-A INPUT -p tcp --dport 80 -j ACCEPT
+#-A INPUT -p tcp --dport 443 -j ACCEPT
+#  Allow SSH connections on normal port 22
+#-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
+#  Respond to ping requests
+#-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
 #  Drop all other inbound
@@ Line 34: / Line 48: @@
 Port 587, SUBMISSION, is used by Mail User Agents (MUAs) such as Thunderbird to allow submission of outgoing email from your virtual users.
-Ports 143 and 110 provide plain text Imap and POP3 connections, rescpectively. It is probably best not to use these and to force all Imap and Pop3 connections to be secure, as we will do in this article. If not used it is best to remove them from your iptables rules.
+Ports 143 and 110 provide plain text Imap and POP3 connections, rescpectively. It is probably best not to use these and to force all Imap and Pop3 connections to be secure, as we will do in this article. If not used it is best to comment them out of your iptables rules as is shown here.
 Ports 993 and 995 provide secure Imap and Pop3, respectively. These must be open in order for your virtual users to be able to send and receive email.
-You may enable these rules by saving them to a text file (ex: /etc/firewall.rules), then loading that file using iptables-restore.
+To install these rules as your firewall save them to a text file, /etc/firewall.rules, then load that file using iptables-restore. This will replace any currently existing iptables rules with those in the file.
 <code>iptables-restore </etc/firewall.rules</code>
-You may see all currently active rules like this...
+To see all currently active rules:
 <code>iptables -L</code>
-You may flush all current rules like this...
+To flush all current rules:
 <code>iptables -F</code>
-To load your firewall rules at each boot, add the following to /etc/rc.d/rc.local:
+To load your firewall rules at each boot, add the following lines to /etc/rc.d/rc.local:
 <code>
 vi /etc/rc.d/rc.local
-... add the following lines ...
+# add the following lines #
 if [ -x /etc/firewall.rules ]; then
         iptables-restore </etc/firewall.rules
 fi</code>
-And make sure rc.local and the firewall rules files are executable...
+Make sure rc.local and the firewall rules files are executable...
 <code>
 chmod +x /etc/rc.d/rc.local
@@ Line 65: / Line 81: @@
 <code>
-iptables-restore &lt;/etc/firewall.rules
+iptables-restore </etc/firewall.rules
 iptables -L
 </code>
-[[howtos:network_services:postfix_dovecot_mysql|Return to main article]]
+[[howtos:network_services:postfix_dovecot_mysql|Return to main article page]]
-{{tag>howtos template}}
+{{tag>howtos email postfix dovecot firewall}}

Trace:

Differences

Search

Navigation

Print/export

Tools

SlackDocs

Slackware Links