I don't use the IRM script to manage which ports are to be opened on the firewall (Linux i.e. Netfilter/Iptables in our case). We use OpenVZ so we do firewalling on the HN (Hardware Node) rather than inside a VE (Virtual Environment) where some of our IRM instances are installed.

Three Questions:

0)
It is correct that all ports are TCP and no IRM service/daemon makes use of the UDP protocol?

1)
What ports need to be open can be seen from iRedMail/samples/iptables.rules. Right now I allow incoming traffic on following TCP ports: 80,443,25,587,465,110,995,143,993,389,636,21,20. I use the LDAP backend; do I need all those ports to be open? especially 587? Did I miss some port?

2)
We manage the port for sshd automatically; it's listening on a high port i.e. >1023; maybe the IRM install routing could ask users for the sshd listening port instead of assuming it's port 22? Personally I don't care because we con't use IRM iptables scripts at all but I think the user should have a choice to mabye pick a non-standard listening port http://sunoano.name/ws/public_xhtml/ssh … ening_port