In a linux-based email server, how can one prohibit SMTP/IMAP/POP connections from clients while still using Webmail (Roundcube)?

Question

With a fully functioning linux-based email server (running postfix/Dovecot) how can one disable the ability to connect to SMTP/POP3/IMAP with external mail clients (or telnet, etc) while still (and only) using Roundcube webmail (that is, a local email service)?

Roundcube connects to Dovecot IMAP to retrieve its mail; and the server in general needs to communicate to the outside world, so simply shutting off the ports/firewall won't work to still be able to send/receive mail within the webmail application.

Are clients using SMTP/POP3/IMAP to retrieve mail or only HTTPS via Webmail? — inetplumber, Dec 23 '13 at 09:02

score 6 · Answer 1 · answered Dec 23 '13 at 09:11

6

Just configure dovecot to listen on 127.0.0.1 only for the sevices you don't want to expose to the outside, you can specify this in dovecot.conf.

imap_listen = localhost
imaps_listen = localhost

It's similar for pop3

pop3_listen = localhost
pop3s_listen = localhost

answered Dec 23 '13 at 09:11

user9517

115,471
20
215
297

And there's a siminar `inet_address = 127.0.0.1 ` for postfix (SMTP) – mveroone Dec 26 '13 at 10:02
2

Kwaio, you can only lock SMTP down the same way if you never want the system to receive email from external systems. The OP hasn't suggested that such is the case. – MadHatter Dec 26 '13 at 10:43

score 4 · Answer 2 · answered Dec 23 '13 at 09:12

Well you can use a firewall to ensure that connections to the imap & pop3 services cannot be made from outside the system. If your dovecot installation is on a different server then again, your firewall rules can be set up to allow connections to/from that system only.

As for SMTP, you can't just block this as you say. You can, however, make sure it only accepts connections to/from a separate smarthost that just acts as a mail relay, but this isn't ironclad by any means either. I think if you want to have any kind of server available on the Internet you have to accept that sooner or later people will find a way to connect to it in ways you hadn't anticipated, and rather than going gung-ho for preventing the impossible I would just do what was reasonable in this regard and then spend the rest of my energy on ensuring the system was securely configured and managed.

score 1 · Answer 3 · answered Dec 26 '13 at 09:08

Much more effective is to limit connections from outer space for those who have passed authentication.

If the remote client knows a valid email/password and can establish TLS sessions on servers SMTP/IMAP - why not? As a side effect, your users can use native MUAs, built in IOS/Android.

In a linux-based email server, how can one prohibit SMTP/IMAP/POP connections from clients while still using Webmail (Roundcube)?

3 Answers3