Mail server using SSL and STARTTLS, should i close non secure mail ports?

Hi guys,
in looking at my firewall (on the vultr service provider side of things, I am considering my port options.
all of my clients must make use of SSL and secure comunications in email. So i run imap and pop3 securely.

At my service provider firewall, should i close all non secure ports? (ie 25, 110 &143)

Is there any other reason why i need to leave 25 open at all if all mail is to use encrypted communication?

So i am currently planning on only allowing for mail…
465&587 (SMTP encrypted)
993 (IMAP encrypted)
995 (POP3 encrypted)

If you close port 25, your server might not be able to send or receive email to or from the rest of the net. I keep ports 110 and 143 open to support legacy email clients and scripts.

1 Like

If you close port 25, you no longer have a mail server.

1 Like

So why do we bother choosing an encrypted smtp port for receiving and sending mail if we need port 25 open?

You have no control over the millions of mail servers in the world that you’d like to possibly receive mail from.

oooohhhh.
so what happens when another server sends mail via non encrypted port? Does my smtp move it across to an encrypted one before dovecot delivers it? How does this process actually happen?

Dovecot does not deliver it (though there is a delivery agent in the Dovecot package, we don’t currently use it). Procmail is the delivery agent used by default in a Virtualmin system. It is not encrypted during delivery as it doesn’t cross the wire. It goes from Postfix to Procmail, which drops it into ~/Maildir. (The term “Mail Delivery Agent” is well-defined. “Delivery” generally means the process of placing mail into a local mail spool for the user. “Retrieval” is what Dovecot does.)

Dovecot is the IMAP/POP server, and it may (or may not, depending on configuration) be encrypted when your clients use IMAP/POP to retrieve their mail. Dovecot is used to retrieve mail.

So:

Thunderbird/Outlook/Usermin=MUA (Mail User Agent)
Postfix=MTA (Mail Transfer Agent or mail relay)
Dovecot=MRA (Mail Retrieval Agent) (also ships an MDA, but we don’t use it)
Procmail=MDA (Mail Delivery Agent) or LMDA (Local Mail Delivery Agent)

Edit: These terms are well-defined and not Virtualmin-specific (we try not to invent terminology). You can read up on WikiPedia.

1 Like

ah ok, hence the importance of port 25.
thanks Joe.

So does my idea of closing non secure email ports on the firewall still have any relevance or does that make no difference?

It sounds like it doesnt really make any difference with regards to all the automated spam bots i see in my log files trying to login/connect? Fail2ban is catching them, but i just wondered if i could close ports to help reduce that kind of stuff?

What ports? You can’t close ports for all traffic for services you want to provide. It’s a world-facing server, it’s gonna get dinged all day long. You’ll drive yourself crazy if you try to babysit it. Just make sure you’re updating regularly and practicing good password hygiene.

A firewall is of very limited utility in a public server. Active tools like fail2ban are pretty much your only option for reducing brute force stuff. There are also packet inspection firewalls, among other things, but fail2ban (or sshguard on simpler/smaller servers) is all I use.

If you refer to port 25 as insecure, it’s not entirely correct. Port 25 used by MTAs may support TLS or may not, meaning your mail can travel securely between servers based on MTAs configurations. Default is always use TLS and fall back to plain text communication in case one of the servers doesn’t support it or have it disabled. You can see in emails’ headers, if your mail was delivered to your server securely, for example:

Received: from mail-pg1-x542.google.com (mail-pg1-x542.google.com [IPv6:2122:00b0:0064:20::120])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by host.domain.com (Postfix) with ESMTPS id AEBB121000
	for <username@domain.com>; Tue,  9 Jun 2020 12:00:00 +0300 (MSK)

The keyword ESMTPS indicates the use of ESMTP when STARTTLS to provide a strong transport encryption layer.

Next step, is when you’re using MRA to fetch your mail, where again you can or cannot use TLS.

There are many different levels to have your email securely handled.

1 Like

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.