Hi all,

This is my first post! Started using MailCow a few days ago and until now all looks great! Already have my own mail server running on Ubuntu 22.04 LTS.

There is just one thing on my to-do list, and that is the Firewall setup.

I did not activate the UFW firewall because of the Danger Warning stated at: https://docs.mailcow.email/prerequisite/prerequisite-system/#supported-os

saying that there are several problems with running mailcow on a firewalld/ufw enabled system.

Also, please take notice that is my first time using Docker.. so a Docker newbie here… After reading all the Docs still not understand how to secure my server with a firewall.

So below a few questions to anyone who is willing to help:

1- I did a basic installation following the Docs. So at the moment I already have a IPTABLES firewall active on MailCow Docker, correct?

2- In terms of security should I leave the system just as it is now, with the installation defaults? It seems strange and un-secure for me not to have server side firewall active (in my case UFW).

3- What should I do? Should I enable UFW and open some specific ports? Any guide, advice or idea would be great!

P.S: Not related with this post, but also related with server security, just to say that I have installed Fail2Ban on my server with SSH Jail active. Seems to be working just fine.

Thanks!

  • mlcwuser replied to this.
  • mailman So from what I read here, I can just leave the server as it is

    I say yes, although it is generally “best practice” to block unused ports and services, just in case. However, a firewall / packet filter in front of Mailcow is preferable, and makes things much easier. More about why it is easier in the next section…

    mailman I can just leave the server as it is (with the installation defaults + fail2ban installed manually by me) or also activate UFW and open all the needed MailCow ports (example: 993,995,465,587,etc…)… but that may cause some issues as also read here.

    UFW does not directly create issues with Docker, but it also cannot be used to filter traffic for services running on Docker, at least not without changing some things in iptables. That’s because UFW is a front end for iptables which is the actual packet filter. The problem is now that Docker is creating rules in iptables too, and these rules are processed before the the UFW rules are getting processed. This causes the UFW rules to have no effect at all on services running in Docker.

    There are ways to work around this, but unless you are at lesat somewhat familiar with how iptables works, and how Docker interacts with it, I wouldn’t recommend to fiddle around with it. Also Mailcow is one of the more complex Docker stacks out there, with a releatively complex networking configuration, which doesn’t make things necessarily easier ;-)

    See here: https://docs.docker.com/network/packet-filtering-firewalls/ and here: https://docs.mailcow.email/prerequisite/prerequisite-system/?h=iptable#firewall-ports

    1 - yes
    2 - server side firewalls are not really worth it from security perspective. If you want to improve security, use a Web Application Firewall in front (e.g. Sophos Firewall, Untangle, Snort etc)
    3 - As the article says - don’t use UFW - especially as you are a Docker newbie.

    Have something to say?

    Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

    I’ve never had any problems with ufw enabled. Actually ufw doesn’t have any effect on docker containers, because the iptables rules of docker take precedence over ufw rules. So in the default install of ufw you won’t have any issues, only if you manually tell ufw to use another iptables chain.

      D4niel Actually ufw doesn’t have any effect on docker containers, because the iptables rules of docker take precedence over ufw rules

      Well, yes, but then why use it at all?

        mailman

        My configuration is just like yours, except that I use Debian instead of Ubuntu as my base system. Debian does not have UFW installed by default and I didn’t install it. Like you, I have Fail2ban enabled for the SSH port, which works fine. For the rest of the ports I let Mailcow’s Fail2ban / Netfilter do its thing, plus my VPS provider is providing a simple Layer 3 Firewall in front of the VPSs, on which I only opened the ports that are needed for Mailcow to work

        .

        But even without any firewall at all, you should be safe, as long as you don’t run other services besides Docker, and as long as there are no flaws discovered in any of the Docker containers. However, a Layer 3 firewall like UFW cannot protect you from such flaws anyways, because the ports Mailcow uses have to be open, in order for Mailcow to work, and ports on which nothing is running cannot be attacked.

        Ok there is one rather small advantage of having a simple Layer 3 Firewall: You could block ports that you don’t use, like in my case 143, 110, and 995, which would reduce the potential attack vectors somewhat.

        mlcwuser Well, yes, but then why use it at all?

        For other non-docker services on the host that shouldn’t be exposed.

          Hi all,

          Thanks for all the responses and feedback. On my server there is only MailCow hosted/running and I will not install anything more. The server is just for MailCow.

          So from what I read here, I can just leave the server as it is (with the installation defaults + fail2ban installed manually by me) or also activate UFW and open all the needed MailCow ports (example: 993,995,465,587,etc…)… but that may cause some issues as also read here.

          Will keep researching about this. And if anyone as any further idea, suggestion or advice, please say.

            mailman So from what I read here, I can just leave the server as it is

            I say yes, although it is generally “best practice” to block unused ports and services, just in case. However, a firewall / packet filter in front of Mailcow is preferable, and makes things much easier. More about why it is easier in the next section…

            mailman I can just leave the server as it is (with the installation defaults + fail2ban installed manually by me) or also activate UFW and open all the needed MailCow ports (example: 993,995,465,587,etc…)… but that may cause some issues as also read here.

            UFW does not directly create issues with Docker, but it also cannot be used to filter traffic for services running on Docker, at least not without changing some things in iptables. That’s because UFW is a front end for iptables which is the actual packet filter. The problem is now that Docker is creating rules in iptables too, and these rules are processed before the the UFW rules are getting processed. This causes the UFW rules to have no effect at all on services running in Docker.

            There are ways to work around this, but unless you are at lesat somewhat familiar with how iptables works, and how Docker interacts with it, I wouldn’t recommend to fiddle around with it. Also Mailcow is one of the more complex Docker stacks out there, with a releatively complex networking configuration, which doesn’t make things necessarily easier ;-)

            See here: Docker Documentation Icon Packet filtering and firewalls

            and here: https://docs.mailcow.email/prerequisite/prerequisite-system/?h=iptable#firewall-ports
            docs.mailcow.email
            https://docs.mailcow.email/prerequisite/prerequisite-system/?h=iptable#firewall-ports
            No preview could be generated for this link

            Hi @mlcwuser

            Thanks a lot for the detailed explanation! I will leave things as they are. No UFW.

            No one is typing