FirewallID settings for a server without mail services

SYSTEM INFORMATION
OS type and version Debian Linux 12
Virtualmin version 7.10.0

I’m setting a Virtualmin Debian12 server where a PHP application may send email to users (registration, notification, etc) but it won’t manage mail or mailbox.

I enabled the FirewallID module and I wonder if I can delete rule type services such as:
Service imap (143) TCP
Service imaps (993) TCP
Service pop3 (110) TCP
Service pop3s (995) TCP
Service smtp (25) TCP
Service smtp-submission (587) TCP
Service smtps (465) TCP

Not 25, I think. You could block the rest.

1 Like

I do not understand the reasoning/motivation.

why disable/uninstall FirewallD? it is there to protect the server not just the users identified by inbound requests to that PHP application.

By “delete the rule” I meant to close the service as this is how FirewallD works.
(no rule = port or service closed)

I have a server, where I didn’t use the virtualmin installer, but I added a both the virtualmin module and the postfix sever, this allowed me to iptables directly and tbf I only have port 25 open and mails sent to a remote email address get sent however because of no spf/dmarc etc the remote server may reject the mail or deliver it to spam

I have a server also using a php application that registers users and sends an OTP as part of the verification process.
It was a default Virtualmin install (OK different OS) so FirewallD was installed.
I have not had the need/or desire to interfere with its default settings.

Everything works just fine.

the server does have other domains and other non-php application so has mail services. I cannot see how a php application can send mail without access to its mail service.
but my php knowledge is about 10 years rusty

Php could send email via the mail command
echo 'Body of Email' | mail -s 'Subject' recipientOfEmail. by either using shell_exec, exec or system functions. I coded a further function called split_exec which is simular to the exec function but splits stdout and stderr into 2 arrays and also returns the error level

Just re read the thread the OP has firewalld installed and the question was it safe to remove the rules from firewalld without impacting other services

2 Likes

Yes I read that but …

makes no sense as it is enabled by default on a clean install (as I was describing) so there is no need to tinker with any FirewallD settings.

I believe that closing unused services and ports is an excellent practice to enhance server security.
This is the motivation behind my question.

Although I agree with closing unused ports. I trust Virtualmin to decide what services are used/enabled which is why I don’t tinker with the default settings.

It could be said @bsfez is moving away from standard by not needing a full blown mail server, so the defaults that virtualmin applies to firewalld are no longer required as the services mentioned in the first post are no longer required, so I see that removing those services from firewalld (is this tinkering ?) will do no harm to the server operation, you could I guess disable dovecot as well (this would not be required in this instance) to save some server resources

1 Like

I see your point. So once again (as so often - it seems) I am assuming a normal (whatever that might be?) installation of Virtualmin (hosting more than one domain + mail) now or in the future.

Yes, but if nothing is actually running on that port I’m not sure there is a real difference. I have slight preference in dropping a connection that I assume is malicious since it is looking for a non-existent service.

All of these rules, including 25, only apply to incoming connections. Nothing in the Virtualmin-created firewall has any effect on outgoing connections.

Thanks all for your replies that helped me.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.