Topic: SME server behind pfSense router/firewall

[DanB35]

I've been running my SME 9 server in server/gateway mode, but have decided to transition the routing duties to a pfSense box. I still want the SME box to handle mail, web, and the other services I've been using.  Am I right in thinking that all I need to do is

1. Set the server to server-only mode, and
2. Forward ports 25, 80, 110, 143, 443, 993, and 995 from the pfSense box to the SME box?

[Stefano]

you're right.. BTW, ports you listed above are only for mail/web services

[DanB35]

Are there any other ports that should be forwarded to a standard SME server?  I'm running OpenVPN on it, but I'll be moving that to the router. I'm pondering ssh, but leaning toward leaving that closed to the outside, and using the VPN first if I need to ssh.

[Stefano]

in my personal experience, ssh on not standard posr > 1024 and with key auth is secure enough.. and you don't see your logs filled with failed logins from script kiddies..

just be aware that in server only mode you have to set to public access many services

I have many SME behind some nat/firewalling devices.. never had an issue..

[Knuddi]

I have also relied on additional firewall for years and run my SME's in server-only mode. As I only allow IMAP and SSMTP I have not opened up for POP3 (143/443) but 465 and 993 (IMAPS).

[DanB35]

POP3 is 110, POP3S is 995. IMAP is 143, IMAPS is 993. 443 is HTTPS, and 465 is something to do with mail delivery (and I should add that to the list to open). I have a couple of remote users who might use POP3, so I might as well leave that open too.

[janet]

DanB35

Strongly suggest you only use secure mail services ie IMAPS POPS etc.
Do not open ports & forward non secure versions of those services.

Also only use ssh private public key access, more secure than VPN.

....... so I might as well leave that open too.

[DanB35]

Also only use ssh private public key access, more secure than VPN.

SSH with public key access is more secure than OpenVPN with public key-authenticated access?

[guest22]

Tip:  config show |grep 'TCP\|UDP'
will show you all 'defined' ports. Not if they are open/closed, just defined.

[CharlieBrady]

just be aware that in server only mode you have to set to public access many services

You only set public access to services which you want to be public. This is true whether you use server only mode or servergateway mode.

[Stefano]

You only set public access to services which you want to be public. This is true whether you use server only mode or servergateway mode.

well, you're right.. and setting access as public for a service without a port forward is not so useful

[janet]

DanB35

SSH with public key access is more secure than OpenVPN with public key-authenticated access?

I did not say that.
I was referring to ssh ppkey being more secure than VPN with ssh password (you did not previously mention you were using ssh secure key)

[DanB35]

I was referring to ssh ppkey being more secure than VPN with ssh password (you did not previously mention you were using ssh secure key)

I would expect, in general, that public key auth would beat password auth (though OpenVPN also allows you to do both--user/pass/public key; I think SSH does as well, but it isn't a supported configuration in SME).  If I had to choose between ssh and a VPN, I'd prefer the VPN, as it makes it quite a bit easier to access other resources on my LAN, but if there's a significant security difference that could change the plans.

[janet]

I would expect, in general, that public key auth would beat password auth (though OpenVPN also allows you to do both--user/pass/public key; I think SSH does as well, but it isn't a supported configuration in SME).  If I had to choose between ssh and a VPN, I'd prefer the VPN, as it makes it quite a bit easier to access other resources on my LAN, but if there's a significant security difference that could change the plans.

ssh tunnels (using ppkey) are usually a good secure option, depends what you want/need to do.

[DanB35]

I had planned on doing this next week, but my Proxmox host is behaving oddly with its network interfaces, so the job got moved up a bit to this afternoon.  It seems to be working well, and for some reason is routing traffic about 5x as fast as my SME VM was.  No complaints about that!