white-listing IP on instance firewall

y2kbug

Hello. I would like to white-list my home IP address as block all others from accessing the mail server. However, I want the mail server to receive email from remote servers. Which ports should be kept public access?

My understanding:

0.0.0.0/0
Postfix SMTP TCP 25
Postfix SMTPS TCP 465
Postfix Submission TCP 587

My-IP/32
Dovecot IMAP TCP 143
Dovecot IMAPS TCP 993
Dovecot POP3 TCP 110
Dovecot POP3S TCP 995
Dovecot ManageSieve TCP 4190
HTTP(S) TCP 80/443

Thanks.

esackbauer

Only port 25. But you will get into trouble by blocking 80, it is needed for renewing the Lets Encrypt certificates.
Why do you want to make an already secure solution more difficult to use?

My advice would be: Before you start around tinkering with the ports, use a firewall, where you can restrict properly and more flexible, e.g. on specific URLs or on countries or ISP ranges, and whitelist those of Lets Encrypt.

y2kbug

esackbauer

There are many many IP trying to sign-in my mail server every second.

esackbauer

Like these?

0.0.0.0/0
Postfix SMTP TCP 25
HTTP(S) TCP 80

My-IP/32
Postfix SMTPS TCP 465
Postfix Submission TCP 587
Dovecot IMAP TCP 143
Dovecot IMAPS TCP 993
Dovecot POP3 TCP 110
Dovecot POP3S TCP 995
Dovecot ManageSieve TCP 4190
HTTP(S) TCP 443

esackbauer

Like these?

0.0.0.0/0
Postfix SMTP TCP 25
HTTP(S) TCP 80

My-IP/32
Postfix SMTPS TCP 465
Postfix Submission TCP 587
Dovecot IMAP TCP 143
Dovecot IMAPS TCP 993
Dovecot POP3 TCP 110
Dovecot POP3S TCP 995
Dovecot ManageSieve TCP 4190
HTTP(S) TCP 443

esackbauer

y2kbug There are many many IP trying to sign-in my mail server every second.

Welcome to the Internet! 😉
Why do you think mailcow has incorporated netfilter/fail2ban?

y2kbug

esackbauer

I have configured the integrated fail2ban to fail the IP with incorrect login, immediately for years.
But just in case someone is so lucky guessing my password correctly, or my password had been leaked to be part of a dictionary, the mail server could still be accessed, without me being noticed. IP address filter on instance firewall level should be the safest way I think.

esackbauer

y2kbug the mail server could still be accessed

Yes the same with Microsofts Office 365 used by hundreds of millions of users, they are not afraid to leave their ports open, and its Microsoft 😉

Moral of the story: Use safe passwords. Use 2FA. And use App passwords for accounts on devices.

y2kbug fail the IP with incorrect login, immediately for years.

That is a bit overdone I would say and could potentially lock you out, if your IP ever changes.
If you use generated passwords as mailcow already suggests them, noone can break your passwords even if you set the ban to 1 minute.

y2kbug

esackbauer

Okay. Thanks for your answer.