Topic: sme8 mail server: how public mail port?

[cybermod]

hi, i am trying to public my sme server, with a domain.

In local area, i found this open ports (with radmin port scanner) : 25,110 and, so, thunderbird has no problem to connect with my server.

But, if i try to scan my public ip (i have nat and open port in my firewall, for example 995 POP3/S) i found that this port is closed!

in server manager i have abilitated public and private access (pop3s secure)...
I don't understand this thing!

[Fumetto]

Read wiki...

[cybermod]

lol fumetto!!!
No, it not run (but i have found this wiki )

sorry for bad english, i think that in italian is better ghghghg

so, i have rescan my lan. In local area network, i found this open port:

Code: [Select]

22 ssh
25 smtp
53 domain
110 pop3
80 www-http
139 netbios-ssn
143
389
443
465
515 printer
636
993
995

if i try to scan my public ip, nothing!!! Now... but... ehm... server and gateway mode is important???
I thing that this is the solution.... 

[Jáder]

You must scan your external IP when you're at outside ... NOT FROM INSIDE!

If your server has open ports, the problem is on whatever you have from server to internet.
May be your ISP, your WiFi router, ... anything/everything.

How SME is connected to WAN ?
Do you opened ports at all device from your server to WAN ?
Please help us to help you.

Jáder

PS: when you're outside, you should connect to SECURE ports (995, 465, 993) not to OLD and insecure ports (110, 25). Do not open insecure ports, just secure ones.
I prefer to use 465 (SMTP secure) and 995 (IMAP secure).

[janet]

cybermod

You have to decide how your network & connection to the Internet is setup.

If you want a seperate firewall (eg firewall/router/gateway device), then setup your sme in "server only" mode, then port forward the required ports from your firewall device to the sme server.

If you want sme server to act as firewall/gateway, then set sme in "server & gateway" mode. To do this you will also have to reconfigure your firewall device (modem/router) in bridged mode (pass through mode) & usually disable all other functionality in the modem/router device (eg DHCP server etc). SME server will then handle all firewall, gateway functions, login client, DHCP server etc.

Then you enable & disable services in server manager & the respective required ports will be opened automatically.

Please read the Manual, as all this is very near the beginning !

[cybermod]

Hi all, reply with quote, is better for me lol
for Jader

You must scan your external IP when you're at outside ... NOT FROM INSIDE!

Of Course! But i need to test, because thunderbird in local area works, in internet no.

If your server has open ports, the problem is on whatever you have from server to internet.
May be your ISP, your WiFi router, ... anything/everything.

ok, i have resolved this inconvenient on my firewall (pfsense). Now, if I do scan of my public ip with advance port scanner, i obtain this:

Code: [Select]

OPEN PORT
443
465
993
995Now i think that is better

How SME is connected to WAN ?
Do you opened ports at all device from your server to WAN ?

my smeserver have 1 eth with local ip.
It is behind my router firewall (pfsense, do you know him?)  and i use the nat for open port.
I need also to setup the firewall rule. But now, if i believe to my last port scan, all should be correct

Please help us to help you.

Of course, i try but my english is not very good, and i have not experience to mail server. I am in learming mode

PS: when you're outside, you should connect to SECURE ports (995, 465, 993) not to OLD and insecure ports (110, 25). Do not open insecure ports, just secure ones.
I prefer to use 465 (SMTP secure) and 995 (IMAP secure).

I am in accord with you! But is 995 port for imap secure or pops secure? i am confused now

for janet

You have to decide how your network & connection to the Internet is setup.
If you want a seperate firewall (eg firewall/router/gateway device), then setup your sme in "server only" mode, then port forward the required ports from your firewall device to the sme server.

If you want sme server to act as firewall/gateway, then set sme in "server & gateway" mode. To do this you will also have to reconfigure your firewall device (modem/router) in bridged mode (pass through mode) & usually disable all other functionality in the modem/router device (eg DHCP server etc). SME server will then handle all firewall, gateway functions, login client, DHCP server etc.

Hi janet, first i need to understanding what is the better solution.
I have my domain registered on isp, with mail service, but i want shared calendar, shared address, between clients but also on mobile devices. So, what is the better solution? (i  think also for security!!!).
I can use fenthmail for download mail from my isp, and i can delegate my sme server to use authenticated smtp (service offered from my isp), then, i can open only ports for mobile devices and webmail. Is not a good solution?

Then you enable & disable services in server manager & the respective required ports will be opened automatically.

ok, so i don't need to do other?

Please read the Manual, as all this is very near the beginning !

I try and i read often the wiki on line, but i have some difficulties because my english is not good (now i am learning with school) and because i have not some experience with mail service.

I am here also learn all this service, i believe in open source and i think that sme server is a great production, but first i need to know him
I hope that this is not a problem, tnx all for your kind

Regards

[janet]

cybermod

Firstly I have used sme server for 13 years in server & gateway mode & the firewall component has never been breeched or hacked. SME server acting as a firewall is very secure.
Some people will say/claim you need to have a DMZ, & need to have a "better" firewall etc, but technically & practically SME server in server & gateway mode is capable of doing the job securely, without needing a more advanced firewall in front of it.
The general reasons someone uses a different firewall is for easier control of settings via a nice GUI interface etc, where all choices can be selected from a GUI screen etc. Other firewalls such as pfsense do have more advanced setting abilities, but for many people these are not required.
SME firewall is capable of doing many or most things other firewalls can do, but you do need to understand iptables rules & sme template fragment code.

The other common reason you would select a standalone firewall is because you want to implement certain features on your network, eg seperate VOIP control, maybe using a router provided by your ISP, Wireless access (WiFi) or some types of Internet TV that rely upon the router supplied by the ISP. In these cases the modem/router does the firewall & gateway functions, & you configure sme server in server only mode.
Note that WiFi can be setup behind your sme server using a wireless router with only the wireless functions enabled, it's just like another device or PC on your network. There is also a Coova Chilli WiFi hot spot contrib if you want better/more control over wireless access vai sme server.

If you are happy to have a more simple arrangement & will use the features of sme server & various contribs & addons to achieve any special network configuration etc, eg use normal web based TV access & other non ISP specific VOIP solutions, then you can use SME server in server & gateway mode, & use the server manager to configure popular services (automatically opening & closing ports as necessary). If there are other requirements eg port forwarding to other servers behind your SME server, then you can use the port forwarding panel in server manager. Beyond that for more unusual or advanced requirements, you can then create custom templates & tweak the firewall iptables rules to achieve just about anything you want, as long as you know how, or there are wiki or web instructions available to describe the set up steps. There are many contribs & howtos on contribs.org wiki.

Note that the real security risks for web accessible servers are the applications running on the server (particularly PHP apps), so choose apps or contribs carefully, particularly web based software, & avoid PHP as much as possible, & ALWAYS keep web application software up to date (to prevent security bug problems etc). This applies to any web server not just SME server, so this issue is not something that is only inherent to using sme server, it applies to all web servers.

Thinking or believing that using a "better" firewall makes you safer is false security. If you setup your "better & more advanced" firewall incorrectly, you could actually be less secure than using a standard sme server in server & gateway mode automatically configured (with built in iptables firewall).

So really why you would choose one or the other firewalls (sme vs standalone) is a personal choice depending on your need & requirements.
Most home users & small businesses would function perfectly well & safely using sme server in server & gateway mode (with a bridged modem/router), no need for seperate firewalls eg pfsense etc.

[Jáder]

Hi all, reply with quote, is better for me lol
for JaderOf Course! But i need to test, because thunderbird in local area works, in internet no.

Thunderbird from internet could never work when ports were closed

I am in accord with you! But is 995 port for imap secure or pops secure? i am confused now

Google is your friend about what port serves what services.
993 = IMAPs
465 = SMTPs
(from my memory... but I can have said otherwise before... sorry!)

BTW: I created this page: http://wiki.contribs.org/Thunderbird_Auto_Config

Copy and create your own (replacing Linuxfacil.net with your own domain) and never worry again about configurate Thunderbird.

Good luck

Jáder

[cybermod]

@janet
thx for your time!
Yuh're right!
I use pfsense because it is familiar for me, because is free and because i find in openvpn client/server an add-on very useful!

So, i think that sme server in "server only" is the better choise for me. From sme sever, i need only mail services, shared calendar for all users and all mobile client (smartphone, tablet), webmail and stop. So i think that this is my choice.

@jader

Thunderbird from internet could never work when ports were closed

YOU DON'T SAY?? 

Google is your friend about what port serves what services

i know it, but i am only confused. many concepts in a short time... my brain fart \o/

BTW: I created this page: http://wiki.contribs.org/Thunderbird_Auto_Config

Nice!
this night i try it!

Questions:
- i tried with outlook on my home pc. Imap service. It works for pop but not for smtp. Thunderbird, nothing all!
Is it a possibile certificate problem ?

[janet]

cybermod

You will have to open the ports in your pfsense firewall for each service you want to run on sme server eg
mail smtp server 25 (domain mail server talking to other mail servers)
email client access:
IMAP secure 993
SMTP secure 465 (non secure 25)
POP secure 995 (non secure 110)
etc

Note that SME server only allows secure connections using ssl when accessed from remote locations.

The mail server (smtp server) will be already running on sme when in server only mode.
You will have to enable webmail in server manager.
You will also have to port forward port 80 for any web sites you want to access on sme server.
Also port 22 for ssh access & port 443 for https access, & so on.
Note that external webmail uses https only.

So you will find that using a seperate (pfsense) firewall limits your ability to have the same services (& ports forwarded) running on different servers behind your firewall ie you can only forward the same port once, to one server.

Do a port scan using this site
https://www.grc.com
Run it from a workstation behind your firewall (or behind your sme server if it is in server gateway mode), to see what ports are open in your firewall.

[cybermod]

greats, today i try it!

@janet

BTW: I created this page: http://wiki.contribs.org/Thunderbird_Auto_Config

Sorry, but i don't understood how use it

[cybermod]

hi janet, i do it!

This the report:

Code: [Select]

----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2013-12-18 at 08:42:15

Results from scan of ports: 0-1055

    7 Ports Open
    0 Ports Closed
 1049 Ports Stealth
---------------------
 1056 Ports Tested

NO PORTS were found to be CLOSED.

Ports found to be OPEN were: 21, 53, 80, 443, 465, 993, 995

Other than what is listed above, all ports are STEALTH.

TruStealth: FAILED - NOT all tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - A PING REPLY (ICMP Echo) WAS RECEIVED.

---------------------------------------------------------------------
i found that www.grc.com is very very very great!

[Stefano]

please, if not necessary (and likely it is not..), close FTP.. it's an unsecure service.. use sftp instead

[cybermod]

ok stefano, but in this moment i need ftp service.

For other problem, what do you say?

[janet]

cybermod

Ports found to be OPEN were: 21, 53, 80, 443, 465, 993, 995

Those ports might be open, but are they forwarded to your sme server ?
Also are the required services enabled on sme server, in server manager eg for mail services see the Email panel & so on in other panels for other services.
Enabling these will then open these ports in sme server (as well as enabling those services eg IMAPS).

You will also need to open port 25 if you want to run a mail server (smtp server), & forward it to sme server.
Also port 22 for ssh acces, but I suggest you set sme server to use a different port, & open that alternative port in your pfsense firewall instead, makes it a little harder for hackers.

Also are outgoing ports open in your pfsense firewall, usually traffic has to flow both ways ?

Also IIRC you might need port 113 for IDENT.

Things are more complicated when you have a seperate firewall.

Re your email client working with Outlook & not Thunderbird etc, it just suggests you have not set up the email client correctly, so review all your settings, IIRC Thunderbird has a number of places you need to setup details.

[Stefano]

I would add that 53 (dns) has no reason to be reachable from wan

[Jáder]

greats, today i try it!

@janet
Sorry, but i don't understood how use it

I´ll update wiki with more instructions about use and MAYBE a template to auto create XML file to server.

[cybermod]

Hi janet

Those ports might be open, but are they forwarded to your sme server ?

Yes, they are open and, with pfsense, i have did nat on my ips server.
Can i check it?

Also are the required services enabled on sme server, in server manager eg for mail services see the Email panel & so on in other panels for other services.
Enabling these will then open these ports in sme server (as well as enabling those services eg IMAPS).

I think that also this is done.
in SME server server manager=> E-mail => Change Email access settings
i have: pop3 server access: allow private and public (secure pop3s)
          imap server access: allow private and public (secure imaps)

You will also need to open port 25 if you want to run a mail server (smtp server), & forward it to sme server.

at this moment i prefer to use fechtmail and smartoast for learning sme server, is it ok?

Also port 22 for ssh acces, but I suggest you set sme server to use a different port, & open that alternative port in your pfsense firewall instead, makes it a little harder for hackers.

Are you talking me of Port Redirect?

Also are outgoing ports open in your pfsense firewall, usually traffic has to flow both ways ?

! I think! I have did a rule in my pfsense that allow ALL TRAFFIC from lan to wan

Also IIRC you might need port 113 for IDENT.

Sorry, but i don't understand this.... baaad english....

Things are more complicated when you have a seperate firewall.

Me too! But, if is a good choice, i can do nat 1:1 of one my public ip to sme server. So, all traffic of this ip is redirect to my server sme

your email client working with Outlook & not Thunderbird etc, it just suggests you have not set up the email client correctly, so review all your settings, IIRC Thunderbird has a number of places you need to setup details.

Off course, maybe!
In local lan i have this configurations:
IMAP: port 143 STARTTLS Normal Password
SMTP: port 25 STARTTLS Normal Password

In external lan (for ex: sme server is at work, thunderbird client is at my house) i think that is only necessary to change  port . Right?

@stefano:

I would add that 53 (dns) has no reason to be reachable from wan

sorry but at the moment i can't learn sftp, no time :,(
So, do you say to close (on my wan) port number 53?

@jader

I´ll update wiki with more instructions about use and MAYBE a template to auto create XML file to server.

Tnx, very kind!

[janet]

cybermod

Fetchmail is problematic & best avoided if you can. Better & easier to use domain based email addresses & use your sme server as a mail server (it is running by default), & forward mail from external accounts to domain based addresses on sme server. It's best to use the features of sme server rather than doing things other ways.

In server manager (I think remote access panel) you can set what port sme server will use for ssh. Changing the port to say 2200 or whatever does not stop hackers as they will still scan for open ports, but hides the obvious port 22. Always configure public private keys for ssh & disable password access, thay way you have very safe & secure ssh connections.

Depending what other services you have running on sme server, you might also need to open port 113 for IDENT, google it. The same reasoning & concept applies to many other ports.

As you have configured sme server to use secure mail services, then open ports 465, 993, 995 in your firewall & configure any remote or local email client (Thunderbird, Outlook etc) to use IMAPS port 993 & smtp port 465, etc. Refer to one of the wiki howtos for steps to setup email clients. Howto link is at top of forums.

Yes close port 53 in pfsense.

I would also add & ask, Why do you need pfsense firewall ?
Everything you are trying to do can be comfortably managed by sme server (using its own iptables firewall), & you have one less device to manage. Nothing you said so far seems to indicate a vital need for a seperate firewall. You just added complexity & higher maintenance & management requirements, whereas sme server is supposed to simplify & make things easier.

[cybermod]

Fetchmail is problematic & best avoided if you can. Better & easier to use domain based email addresses & use your sme server as a mail server (it is running by default), & forward mail from external accounts to domain based addresses on sme server. It's best to use the features of sme server rather than doing things other ways.

Ok, i understand.... it's only for study case (and, really, i'm afraid of hackers), but if you say "this is better", ok, i can try it!

In server manager (I think remote access panel) you can set what port sme server will use for ssh. Changing the port to say 2200 or whatever does not stop hackers as they will still scan for open ports, but hides the obvious port 22. Always configure public private keys for ssh & disable password access, thay way you have very safe & secure ssh connections.

but i i hold this port closed? Ssh only for vpn or lan.

Always configure public private keys for ssh

Next level to learn????

Depending what other services you have running on sme server, you might also need to open port 113 for IDENT, google it. The same reasoning & concept applies to many other ports.

It is a security protocol (read in italian site)

As you have configured sme server to use secure mail services, then open ports 465, 993, 995 in your firewall & configure any remote or local email client (Thunderbird, Outlook etc) to use IMAPS port 993 & smtp port 465, etc. Refer to one of the wiki howtos for steps to setup email clients. Howto link is at top of forums.

Like this? http://wiki.contribs.org/index.php?title=Howto:Configuring_Outlook_2010_or_2007_and_SME_8&redirect=no

however... not run (now i tried from my house......)

Yes close port 53 in pfsense.

Ok!

I would also add & ask, Why do you need pfsense firewall ?
Everything you are trying to do can be comfortably managed by sme server (using its own iptables firewall), & you have one less device to manage. Nothing you said so far seems to indicate a vital need for a seperate firewall. You just added complexity & higher maintenance & management requirements, whereas sme server is supposed to simplify & make things easier.

First- i know it, a little

Really, i use pfsense for varios reasons, for example: i have around 5 small companies, each have variuos needs... proxy, vpn  client to lan, vpn site to site, captive portal, etc etc.
And with pfsense i am amble to set trafing shaper ad other services.

If i do nat 1:1 a pubblic ip with sme server, is not better in my case? (for learning?)

I just tried outlook, i noticed this: server say 552 Mail with no Date header not accepted here
I found this: http://wiki.contribs.org/Email#I_can.27t_receive.2Fsend_email_from_my_application_.28ACT.21.2C_vTiger.2C_MS_Outlook.2C_etc.29

i try it?

[CharlieBrady]

sorry for bad english, i think that in italian is better

In that case you can ask your questions in Italian here:

http://forums.contribs.org/index.php/board,15.0.html

[CharlieBrady]

I just tried outlook, i noticed this: server say 552 Mail with no Date header not accepted here

That verifies you are connected to the SME server and will be able to send mail. But to read mail you will need to connect via imap or imaps.

[cybermod]

Hi all!!!
I am alive

1- marry cristmas and happy new year!

2- little update

I reinstalled all smeserver8 + sogo, but in gateway mode!
So, 2 network card, one ip pubblic and one local ip.
Now, i am shure that there isn't any firewall problem!!! Right?

Next day other test!

See you

[cybermod]

i all!!!!
I come back!

now i reinstalled sme8 but in gateway mode, it is directly on my connectivity, so no problems with open port.
again: i tested sme8 + sogo from my house, with another connectivity, and now it runs.

I also created ptr record but when i try to test with mxtoolbox.com i have this warning: Warning - Reverse DNS does not match SMTP Banner

now, my question:
PRT RECORD IS:

public ip      PRT    mail.mydomain.it

or

public ip      PTR    hostnameserver.mydomain.it?

In my banner i see (through local telnet on server)    hostnameserver.mydomain.it

tnx guys

[janet]

cybermod

You can change the server CommonName with a db ccommand to www.mydomain.it
Search forums on CommonName or look at one of the contribs.org wiki Certificate Howtos for details.

Then just use
www.mydomain.it
in your DNS & also specify www.mydomain.it for your mail server