How could I secure email this way.

I feel unwilling to unblock the :20000 port to the outside world because I’m unsure if hackbots would be able to attempt brute force indiscriminately on it.

I do have csf and lsd installed as well as the firewall.
If I opened up that port to the world would they automatically block failed logins? How can I check?

I’m thinking that the ideal way to open up emails to the people in the office would be to create keys.

I would create a key for userA and so long as userA connects to the server with this key the user would be able to log in. Is it possible to have the firewall accept a per key user.

What is the term for this type of verification so that I can look it up on google.
Is there a tutorial that describes this situation.
I would appreciate the help with any other alternatives for securing email access as well.

I’m assuming that the firewalls block only per ip basis, would they ever be able to analyze for a key.

We use CSF and I must say its fantastic. We block ALL ports except email and 20000. Then we add our office IP and dynamic hostnames into the allow lists so approved IP/hostnames can access all other blocked ports (SSH, FTP, Webmin). One reason I love CSF is its ability to resolve dynamic hostnames every x minutes. So being on dynamic IP addresses at home, myself and my customers can access the ports still by using dynamic hostnames.

As for the blocks, CSF should still block users with failed attempts, even if they are on the allowed list. We have customers who are on the allowed list and sometimes we need to unblock their IP as they had 5 failed POP attempts for example.

Are there additional benefits in using keys, if this is possible?