1 Topic by dorpha

  • dorpha
  • Member
  • Offline
  • Registered: 2015-01-23
  • Posts: 44

Topic: Disable plain/insecure IMAP/POP/SMTP ports

==== Required information ====
- iRedMail version: 0.9.0
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): Admin-Pro-LDAP 2.2.2
- Linux/BSD distribution name and version: Ubuntu 14.04LTS
- Related log if you're reporting an issue:
====

What will be the recommended way to just enable encrypted IMAP/POP/SMTP (on port 993/995/465), and disable the plain ones(on port 143/110/25) ?

That is to say, is it possible we can turn off these plain/insecure incoming ports (143/110/25) in firewall, and make iRedMail still function properly on email sending & receiving over the secured/encrypted ports (via SOGo web-interface and Mozilla ThunderBird) ?

iRedMail uses STARTTLS which will do the auto-switch depends on the mail server, between plain and secure connection. Is there an option we could force STARTTLS to use only the secure connection (via 993/995/465)?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: Disable plain/insecure IMAP/POP/SMTP ports

iRedMail forces clients' to use these secure connections by default:

*) POP3/IMAP over TLS (ports 110, 143), POP3 over SSL (995), IMAP over SSL (993). Insecure POP3/IMAP (without TLS) are disabled by default. Reference: http://www.iredmail.org/docs/allow.inse … tions.html

*) SMTP over TLS (either port 25 or 587. Note, you must have smtpd_tls_auth_only=yes in /etc/postfix/main.cf to enforce TLS through port 25)

dorpha wrote:

iRedMail uses STARTTLS which will do the auto-switch depends on the mail server, between plain and secure connection. Is there an option we could force STARTTLS to use only the secure connection (via 993/995/465)?

We have settings in Postfix and Dovecot to force clients to use TLS/SSL:

* Dovecot: ssl=required
* Postfix: smtpd_tls_auth_only=yes

3 Reply by dorpha (edited by dorpha 2015-02-10 11:17:07)

  • dorpha
  • Member
  • Offline
  • Registered: 2015-01-23
  • Posts: 44

Re: Disable plain/insecure IMAP/POP/SMTP ports

ZhangHuangbin wrote:

We have settings in Postfix and Dovecot to force clients to use TLS/SSL:
* Dovecot: ssl=required
* Postfix: smtpd_tls_auth_only=yes

Does port 110,143 and 25 still have to be enabled in the firewall's incoming rules for iRedMail to function properly?

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: Disable plain/insecure IMAP/POP/SMTP ports

If you need them, then you need to open them in firewall.

5 Reply by dorpha

  • dorpha
  • Member
  • Offline
  • Registered: 2015-01-23
  • Posts: 44

Re: Disable plain/insecure IMAP/POP/SMTP ports

They are already on in iptables by default:

# smtp, submission
-A INPUT -p tcp --dport 25 -j ACCEPT     <--- 
-A INPUT -p tcp --dport 587 -j ACCEPT

# pop3, pop3s
-A INPUT -p tcp --dport 110 -j ACCEPT    <--- 
-A INPUT -p tcp --dport 995 -j ACCEPT

# imap, imaps
-A INPUT -p tcp --dport 143 -j ACCEPT    <--- 
-A INPUT -p tcp --dport 993 -j ACCEPT

Since not in use, could we safely comment out them (those with  '<---') ?

6 Reply by k-hussein

  • k-hussein
  • Member
  • Offline
  • Registered: 2014-12-11
  • Posts: 106

Re: Disable plain/insecure IMAP/POP/SMTP ports

for your info I disabled port 25 on my firewall , and end up with not receiving any mails from Outlook.com , yahoo.com , microsoft when I enabled port 25 I started receiving the mails.

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: Disable plain/insecure IMAP/POP/SMTP ports

Port 25 is used for communication between mail servers, also optionally used to submit emails by mail users especially in old days.

8 Reply by dorpha (edited by dorpha 2015-02-11 12:24:17)

  • dorpha
  • Member
  • Offline
  • Registered: 2015-01-23
  • Posts: 44

Re: Disable plain/insecure IMAP/POP/SMTP ports

After some tests this is what we got so far:

(1) turning off port IMAP, but leave IMAPS on: local email clients (e.g. Thunderbird) can't connect via SSH/TLS(995), neither via SMARTTLS(143).
(2) turning off port SMTP(25): the mail server couldn't receive yahoo's mails, as k-hussein says.
(3) turning on IMAP, SMTP : everything's working, welcome back to life.

Thanks both of you for the information smile

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: Disable plain/insecure IMAP/POP/SMTP ports

Dear @dorpha,

You must clearly know which services you need.

For example, which mail services and ports you told your clients/users to use in mail client applications (Outlook, Thunderbird)? IMAP over TLS (port 143), or IMAP over SSL (port 993)? POP3 over TLS (port 110) or POP3 over SSL (port 995)?

Port 25 is used for communication between mail servers, so you can NOT turn off it, otherwise you cannot receive emails from others.

10 Reply by dorpha (edited by dorpha 2015-02-11 15:09:13)

  • dorpha
  • Member
  • Offline
  • Registered: 2015-01-23
  • Posts: 44

Re: Disable plain/insecure IMAP/POP/SMTP ports

If understood correctly:

IMAP uses port 143, SSL/TLS encrypted IMAP uses port 993.
POP uses port 110, SSL/TLS encrypted POP uses port 995.
SMTP uses port 25, SSL/TLS encrypted SMTP uses port 465.

So this brings in two cases:

[case A: send/receive emails using a single port]

the plain way: use IMAP/POP/SMTP (143/110/25)
the encrypted way: IMAP over SSL|TLS , POP over SSL|TLS , SMTP over SSL|TLS (993,995,465)

[case B: send/receive emails using two ports (via STARTTLS)]

the plain way: use IMAP/POP/SMTP (143/110/25) --> this is not allowed in iRedMail
the encrypted way: IMAP over SSL|TLS , POP over SSL|TLS , SMTP over SSL|TLS (143,110,25,993,995,465) --> the iRedMail way

Thus for encrypted emailing, in case A you only need four ports(993,995,465 plus 25), whereas in case B you'll need six.

EDIT:
Seems that IMAP over TLS uses 143 , and POP over TLS uses 110 only. If not using SSL (it's kinda old), we might turn off port 993 and 995.

11 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: Disable plain/insecure IMAP/POP/SMTP ports

Here is my personal suggestion:

* receive email with only pop over TLS (port 110), or imap over TLS (port 143).
* send email with smtp over TLS (port 587, aka submission). Don't use port 25 to send email, we will use this port with postscreen service soon. Just don't.
* port 25 must be always open

Again, make sure you have 'ssl=required' in dovecot.conf, so that insecure pop/imap are disabled. And 'smtpd_tls_auth_only=yes' in postfix.

12 Reply by dorpha

  • dorpha
  • Member
  • Offline
  • Registered: 2015-01-23
  • Posts: 44

Re: Disable plain/insecure IMAP/POP/SMTP ports

Thanks Zhang again for your great insights; this make things way clearer.