Hi there
Im looking to “close down” my email server as much as possible, to not expose unnessesary ports. I know ports is mentioned here

docs.mailcow.email
https://docs.mailcow.email/prerequisite/prerequisite-system/#firewall-ports
No preview could be generated for this link

But, all of those isnt really nessesary to be exposed? And all of those will most likely not be needed, or am I wrong?
Currently I have exposed those, and those are my comments and questions:
25 - Required?
4190 - Can I close this?
465 - Use 587 instead, and close this?
587 - Keep open
993 - IMAPs, is this better than POP3S below?
995 - Can be closed?

I know ports depends on what Im using and not, but hope to get some tips on what really is needed as minimum. This is a bit confusing for me at the moment.

I will try to answer this as best I can. If anyone has any additions or corrections, please add them…

  • Port 25 is used for server-to-server communication, i.e. to receive mail from other servers, so it must remain open.

  • 4190 is used to manage email filters remotely from a client. If you don’t need that feature or you always set the filters directly on the server e.g. via Sogo or Roundcube, the port can be closed.

  • 465 or 587 is used to connect clients via SMTP. 587 uses STARTTLS, 465 uses implicit TLS. The latter is a bit more secure. So this is up to you, what you want to use. I have both ports open, for maximum compatibility with different clients.

  • 993 vs 995: IMAP is “better” than POP3 in the sense that it synchronizes emails. That means you have always the same messages and folders on all clients and the messages always stay on the server. If you use POP3, the client can only download messages and you can decide whether the mails will be deleted on the server or not. So it depends on your use case which is better. But yes, if you don’t intend to use POP3, you can close the corresponding ports.

  • And just for the sake of completeness: You don’t need to open ports 110 and 143 because clients that can only connect unencrypted should not be used anyways.

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

Thank you for your reply. This makes sence.
Request can be marked as resolved.

No one is typing