• Off-topic
  • USEnglish
  • Recommendation for ufw and mailcow

Hello,

As I can remember on the first versions of mailcow docs there was ufw tutorial persistent.

Since the start of the server 2-3 years ago I have ufw installed on the server and only opened the ports needed by mailcow (list in the docs) and never had any troubles with that.

Because of that I’m wondering why ufw now is better to disable 🤔

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

Thanks for your reply.

I have only opened the ports required by mailcow. Nothing else is running on this server, until now never has problems over the years.

I have just tested by the tester:
OK - Not an open relay

So no open relay.

I think I’m good with that.

Here some more informations on my setup.

Open Relay Test:

Connecting to 127.0.0.1

220-mx.domain.tld ESMTP Postcow
220 mx.domain.tld ESMTP Postcow [3643 ms]
EHLO keeper-us-east-1c.mxtoolbox.com
250-mx.domain.tld
250-PIPELINING
250-SIZE 104857600
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING [236 ms]
MAIL FROM:<supertool@mxtoolboxsmtpdiag.com>
250 2.1.0 Ok [251 ms]
RCPT TO:<test@mxtoolboxsmtpdiag.com>
554 5.7.1 <test@mxtoolboxsmtpdiag.com>: Relay access denied [266 ms]

LookupServer 5445ms

UFW status (active rules for IPv6 and IPv6):

ufw status
Status: active

To                         Action      From
--                         ------      ----
2218                       ALLOW       Anywhere
25                         ALLOW       Anywhere
80                         ALLOW       Anywhere
110                        ALLOW       Anywhere
143                        ALLOW       Anywhere
443                        ALLOW       Anywhere
465                        ALLOW       Anywhere
587                        ALLOW       Anywhere
993                        ALLOW       Anywhere
995                        ALLOW       Anywhere
4190                       ALLOW       Anywhere
2218 (v6)                  ALLOW       Anywhere (v6)
25 (v6)                    ALLOW       Anywhere (v6)
80 (v6)                    ALLOW       Anywhere (v6)
110 (v6)                   ALLOW       Anywhere (v6)
143 (v6)                   ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)
465 (v6)                   ALLOW       Anywhere (v6)
587 (v6)                   ALLOW       Anywhere (v6)
993 (v6)                   ALLOW       Anywhere (v6)
995 (v6)                   ALLOW       Anywhere (v6)
4190 (v6)                  ALLOW       Anywhere (v6)     

IPtables -L (i have removed IPs):

Chain INPUT (policy DROP)
target     prot opt source               destination         
MAILCOW    all  --  anywhere             anywhere            
ufw-before-logging-input  all  --  anywhere             anywhere            
ufw-before-input  all  --  anywhere             anywhere            
ufw-after-input  all  --  anywhere             anywhere            
ufw-after-logging-input  all  --  anywhere             anywhere            
ufw-reject-input  all  --  anywhere             anywhere            
ufw-track-input  all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
MAILCOW    all  --  anywhere             anywhere            
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ufw-before-logging-forward  all  --  anywhere             anywhere            
ufw-before-forward  all  --  anywhere             anywhere            
ufw-after-forward  all  --  anywhere             anywhere            
ufw-after-logging-forward  all  --  anywhere             anywhere            
ufw-reject-forward  all  --  anywhere             anywhere            
ufw-track-forward  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-output  all  --  anywhere             anywhere            
ufw-before-output  all  --  anywhere             anywhere            
ufw-after-output  all  --  anywhere             anywhere            
ufw-after-logging-output  all  --  anywhere             anywhere            
ufw-reject-output  all  --  anywhere             anywhere            
ufw-track-output  all  --  anywhere             anywhere            

Chain DOCKER (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             IP_REPLACED         tcp dpt:12345
ACCEPT     tcp  --  anywhere             IP_REPLACED         tcp dpt:sieve
ACCEPT     tcp  --  anywhere             IP_REPLACED           tcp dpt:8983
ACCEPT     tcp  --  anywhere             IP_REPLACED         tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             IP_REPLACED           tcp dpt:mysql
ACCEPT     tcp  --  anywhere             IP_REPLACED         tcp dpt:imaps
ACCEPT     tcp  --  anywhere             IP_REPLACED         tcp dpt:imap2
ACCEPT     tcp  --  anywhere             IP_REPLACED         tcp dpt:pop3
ACCEPT     tcp  --  anywhere             IP_REPLACED           tcp dpt:https
ACCEPT     tcp  --  anywhere             IP_REPLACED           tcp dpt:http
ACCEPT     tcp  --  anywhere             IP_REPLACED          tcp dpt:submission
ACCEPT     tcp  --  anywhere             IP_REPLACED         tcp dpt:6379
ACCEPT     tcp  --  anywhere             IP_REPLACED          tcp dpt:submissions
ACCEPT     tcp  --  anywhere             IP_REPLACED          tcp dpt:smtp

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain MAILCOW (2 references)
target     prot opt source               destination         

Chain ufw-after-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-input (1 references)
target     prot opt source               destination         
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc
ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-after-output (1 references)
target     prot opt source               destination         

Chain ufw-before-forward (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ufw-user-forward  all  --  anywhere             anywhere            

Chain ufw-before-input (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ufw-not-local  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             IP_REPLACED          udp dpt:mdns
ACCEPT     udp  --  anywhere             IP_REPLACED      udp dpt:1900
ufw-user-input  all  --  anywhere             anywhere            

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-before-output (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-user-output  all  --  anywhere             anywhere            

Chain ufw-logging-allow (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
DROP       all  --  anywhere             anywhere            

Chain ufw-reject-forward (1 references)
target     prot opt source               destination         

Chain ufw-reject-input (1 references)
target     prot opt source               destination         

Chain ufw-reject-output (1 references)
target     prot opt source               destination         

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-track-forward (1 references)
target     prot opt source               destination         

Chain ufw-track-input (1 references)
target     prot opt source               destination         

Chain ufw-track-output (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-user-forward (1 references)
target     prot opt source               destination         

Chain ufw-user-input (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2218
ACCEPT     udp  --  anywhere             anywhere             udp dpt:2218
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
ACCEPT     udp  --  anywhere             anywhere             udp dpt:25
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     udp  --  anywhere             anywhere             udp dpt:80
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3
ACCEPT     udp  --  anywhere             anywhere             udp dpt:110
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
ACCEPT     udp  --  anywhere             anywhere             udp dpt:143
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     udp  --  anywhere             anywhere             udp dpt:443
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submissions
ACCEPT     udp  --  anywhere             anywhere             udp dpt:465
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission
ACCEPT     udp  --  anywhere             anywhere             udp dpt:587
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:993
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s
ACCEPT     udp  --  anywhere             anywhere             udp dpt:995
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:sieve
ACCEPT     udp  --  anywhere             anywhere             udp dpt:4190

Chain ufw-user-limit (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination         

Chain ufw-user-output (1 references)
target     prot opt source               destination         

Something bad here? 🙂 As you see i don’t have created an open relay.

No one is typing