[Mimedefang] Firewalls and Mimedefang

Michiel Brandenburg apex at xepa.nl
Tue Sep 15 16:28:12 EDT 2009


Cliff Hayes wrote:
> My shiny new mimedefang servers (7 of them) are all running smoothly.  I've
> asked the boss to contribute financially to your cause.
Do the servers have some intercommunication going on ? If so you might 
want to make a list of the services they share and allow connections 
from your mimedefang servers only.

> Now I have to deal with the jerks.  I started out running with no firewall
> (not comfortable with that) and have the typical ssh probes.  I didn't want
> to try to mess with a firewall and end up blocking something mimedefang
> and/or spamassassin was doing.  Here is a list of ports I've accumulated.  I
> have two questions:
> 
> a) Please let me know if I've missed anything.
probably :)
> b) If I do miss something, how will it make itself known?  maillog?  some
> other log?
I use a firewall package that spams via syslog if you tell it to.
> port list:
> 
> 7 (vipul's razor)
> 25 (smtp mail)
> 123 (for ntpd time updates)
> 1023 (dcc)
> 2703 (vipul's razor)
> 6277 (dcc)
> 24441 (pyzor)

I assume you are talking about firewalling both ways, ie .. firewall 
outgoing connections as wel as incomming connections.  I would suggest 
you start with incomming connections only. This is a lot easyer and as 
you control the machine who is going to make outgoing connections 
(besides your software ofc). Besides on a outgoing mailserver lots of 
ports will be used to connect to other machines, updates etc dns lookups 
.. if you are going to filter outgoing ports only filter the high level 
one's 1 - 1024, the rest is kinda pointless.

ports opened on the SMTP server from the net.

- for incomming email
1. 25 (SMTP)
2. 465 (SMTP over SLL)
3. 2525 (another smtp port for ppl who's ISP blocks outgoing smtp 
connections)

- pop / imap
4. 110 (POP3)
5. 995 (POP3 over SSL)
6. 143 (IMAP)
7. 993 (IMAP over SSL)

ports opened on the SMTP servers from internal only
8. 783 (spamassassin)

ports opened on the helper machines for internal use only
9. 10020 (spamassassin load balancer, mimedefang connects to this one)
10. 3306 (shared stats, spamscores, blocks etc via mysql)

Further more I would suggest opening up 22 from the net so you can 
access all the machines ( another port say 22022 would help against them 
scans but I never bothered ).

Hope it helps,
--
Michiel



More information about the MIMEDefang mailing list