-1

I have a new Ubuntu 14.04 LAMP server with the UFW firewall setup on DigitalOcean. My goal is to add email for use on my phone(iPhone) and laptop(via Roundcube).

There is a lot of old information floating around about what you need to do to setup email and ports. It seems my server will be needing Postfix AND Dovecot, correct?
I am trying to open just enough ports on my firewall to get email from everyone. I will list my port research. I have starred (*) the ports I think I must open. Is this enough to get email from everyone and successfully manage it on my devices?

SMTP (for inbound and outbound mail)
 *25  = non secure
  465 = secure, old (smtp over ssl)
 *587 = secure, new (smtp-msa)

POP3 (bad way for managing mail)
  110 = non secure
  995 = secure (pop3 over ssl)

IMAP (good way for managing mail)
  143 = non secure
 *993 = secure (imap over ssl)
Josh
  • 93
  • 1
  • 6

2 Answers2

0

Not quite, you need some more research, but you're on the right track :-)

To begin with, you can secure any of the ports you mentioned as non "secure" by negotiating STARTTLS instead of protocol-over-SSL.

Your 465 should only have been in SMTP, not IMAP, and you should forget about it in any case.

POP is OK when mail is just passing through to one device. Since you want to use both your iPhone and your laptop, IMAP is definitely what you want, but POP isn't bad in itself, just inappropriate for your needs.

You need Postfix on port 25 to receive mail from the Internet. You need Postfix on port 587 to receive mail from your iPhone and laptop, and Dovecot on 993 (and/or 143) to enable your iPhone and laptop to get mail from your server.

You also need postfix to be able to contact port 25 on any server on the Internet so that you can send mail.

I'll stop here since your question was specifically about the firewall setup, the rest is a big subject and you should be able to find more info by yourself...

Law29
  • 3,557
  • 1
  • 16
  • 28
  • Thanks. I tweaked the list. I tried to up-vote your answer but it won't let me. Do you have any links that might help me further? – Josh Apr 10 '16 at 21:24
  • I like https://www.digitalocean.com/community/tutorials/how-to-set-up-a-postfix-e-mail-server-with-dovecot and since you (rightly) seem concerned with communication security you might like that it starts off with the SSL part. – Law29 Apr 10 '16 at 21:39
  • You probably can't upvote since you don't have enough reputation, but you can accept. – Law29 Apr 10 '16 at 21:44
  • Yea I will accept later today. If I do it too soon it probably discourages new input. – Josh Apr 10 '16 at 21:53
  • 465 shouldn't be forgotten because lot of providers still block any connections to the 25 port but allow historically well-known 465 while 587 is blocked as "unknown" service. – Kondybas Apr 11 '16 at 14:20
  • In Josh's context I see no use for 465, I have never seen home user -> internet server:587 blocked. home user -> internet server:25 is often blocked to avoid spam troyans, but since Josh is setting up his server at DigitalOcean he needs 25 and not 465. – Law29 Apr 11 '16 at 15:32
0

At a minimum you need the SMTP (25) port open in both directions. You should have the Submission (587) port open for incoming traffic, if you want mobile clients to be able to send email. For your clients to pick up mail you need either IMAP (143) or IMAPS (993) open for incoming traffic, although it would be better to have both open as sometimes one or the other is firewalled by ISPs.

Setting up your own SMTP server can be somewhat difficult. Besides requiring a static IP address, there are several DNS records you need to setup. Either Postfix or Exim4 will work. There are a number of posts dealing with SMTP server issues. You could configure your clients to use a relay for outgoing messages.

If you do choose to setup your own mail server, you will need to deal with incoming spam. Your clients (cellphone and laptop) should connect on the Submission port (587) and authenticate. exim4 can authenticate using your dovecot server, I don't know if postfix will do the same. You will need port 25 open in both directions to allow mail to flow to other servers.

If you don't install postfix or exim4 you will likely want to provide a light weight server like ssmtp to deliver system notifications.

Having a single place to manage your mail is a good idea. Dovecot is a reasonably easy to configure server that provide IMAP services. I would configure it to listen on both the IMAP (143) and IMAPS (993) ports. I believe dovecot listens on both these ports when you use the imap protocol.

You are correct in not using the POP protocols.

If you are not running your own email (SMTP) server for incoming mail you can use a program like fetchmail to get your mail from the server that is is being delivered to. You will need the appropriate port open to connect you your server. It will need a Mail Delivery Agent to deliver the mail. One option is procmail, although you may be able to use the dovecot LDA service.

BillThor
  • 27,737
  • 3
  • 37
  • 69