Difference between revisions of "Firewall Configuration"

[unchecked revision][checked revision]
(Created page with "__NOTOC__ It is highly recommended to protect any MailStore Gateway with appropriate firewall rules. This document should help with setting up the required rules. <p class="...")
 
 
(12 intermediate revisions by 4 users not shown)
Line 2: Line 2:
 
It is highly recommended to protect any MailStore Gateway with appropriate firewall rules. This document should help with setting up the required rules.  
 
It is highly recommended to protect any MailStore Gateway with appropriate firewall rules. This document should help with setting up the required rules.  
  
<p class="msnote">'''Please note:''' If the server on which MailStore Gateway has been installed is on a private network, refer to the manual of the gateway or firewall that connects the private network to the Internet in order to find out how to set up appropriate port forwarding rules in additional to the firewall rules described in this article.</p>
+
<p class="msnote">'''Please note: '''On Windows, the installation process automatically creates an appropriate firewall rule. Therefore the below information is only applicable if other firewall solutions are used.</p>
 +
 
 +
If MailStore Gateway computer is on a private network, refer to the manual of the router or firewall that connects the private network to the Internet to find out how to set up appropriate port forwarding rules in addition to the firewall rules described in this document.
  
 
The table below lists all TCP ports that need to be opened in the firewall when using MailStore Gateway. The following abbreviations are used in the source and target columns of that table:
 
The table below lists all TCP ports that need to be opened in the firewall when using MailStore Gateway. The following abbreviations are used in the source and target columns of that table:
Line 8: Line 10:
 
* ANY = Any computer from private or public networks  
 
* ANY = Any computer from private or public networks  
 
* ADM = Computer or network used for administration
 
* ADM = Computer or network used for administration
* SERVER = Server that hosts MailStore Gateway
+
* GTW = Computer that hosts MailStore Gateway
  
 
{| class="wikitable sortable"
 
{| class="wikitable sortable"
Line 17: Line 19:
 
|-
 
|-
 
| align="center" | 25
 
| align="center" | 25
| align="center" | SERVER
+
| align="center" | GTW
 
| align="center" | ANY
 
| align="center" | ANY
 
| Access to email servers via SMTP needed by the SMTP proxy functionality.  
 
| Access to email servers via SMTP needed by the SMTP proxy functionality.  
Line 23: Line 25:
 
| align="center" | 25
 
| align="center" | 25
 
| align="center" | ANY
 
| align="center" | ANY
| align="center" | SERVER
+
| align="center" | GTW
| Access from email servers to sent emails to MailStore Gateway mailboxes.<br/>Access from email client via SMTP needed by the SMTP proxy functionality.  
+
| Access from email servers to send emails to MailStore Gateway mailboxes.<br/>Access from email clients via SMTP needed by the SMTP proxy functionality.
 +
|-
 +
| align="center" | 80
 +
| align="center" | ANY
 +
| align="center" | GTW
 +
| Access from Let's Encrypt for challenge requests. Required for the Let's Encrypt functionality.  
 
|-
 
|-
 
| align="center" | 110
 
| align="center" | 110
| align="center" | SERVER
+
| align="center" | GTW
 
| align="center" | ANY
 
| align="center" | ANY
 
| Access to email servers via POP3 needed by the POP3 proxy functionality.  
 
| Access to email servers via POP3 needed by the POP3 proxy functionality.  
Line 33: Line 40:
 
| align="center" | 110
 
| align="center" | 110
 
| align="center" | ANY
 
| align="center" | ANY
| align="center" | SERVER
+
| align="center" | GTW
| Access from email client via POP3 needed by the POP3 proxy functionality.<br/> Access from MailStore Server or MailStore Service Provider Edition to retrieve emails from MailStore Gateway mailboxes.
+
| Access from email clients via POP3 needed by the POP3 proxy functionality.
 
|-
 
|-
| align="center" | 443
+
| align="center" | 8450
 
| align="center" | ADM
 
| align="center" | ADM
| align="center" | SERVER
+
| align="center" | GTW
| Access to the web console by administrators.
+
| Access to the Management Console by administrators.
 
|-
 
|-
 
| align="center" | 465
 
| align="center" | 465
| align="center" | SERVER
+
| align="center" | GTW
 
| align="center" | ANY
 
| align="center" | ANY
 
| Access to email servers via SMTPS needed by the SMTP proxy functionality.
 
| Access to email servers via SMTPS needed by the SMTP proxy functionality.
Line 48: Line 55:
 
| align="center" | 465
 
| align="center" | 465
 
| align="center" | ANY
 
| align="center" | ANY
| align="center" | SERVER
+
| align="center" | GTW
| Access from email client via SMTPS needed by the SMTP proxy functionality.  
+
| Access from email clients via SMTPS needed by the SMTP proxy functionality.  
 
|-
 
|-
 
| align="center" | 587
 
| align="center" | 587
| align="center" | SERVER
+
| align="center" | GTW
 
| align="center" | ANY
 
| align="center" | ANY
 
| Access to email servers via SMTP needed by the SMTP proxy functionality.
 
| Access to email servers via SMTP needed by the SMTP proxy functionality.
Line 58: Line 65:
 
| align="center" | 587
 
| align="center" | 587
 
| align="center" | ANY
 
| align="center" | ANY
| align="center" | SERVER
+
| align="center" | GTW
| Access from email client via SMTP needed by the SMTP proxy functionality.
+
| Access from email clients via SMTP needed by the SMTP proxy functionality.
 
|-
 
|-
 
| align="center" | 995
 
| align="center" | 995
| align="center" | SERVER
+
| align="center" | GTW
 
| align="center" | ANY
 
| align="center" | ANY
 
|Access to email servers via POP3S needed by the POP3 proxy functionality.  
 
|Access to email servers via POP3S needed by the POP3 proxy functionality.  
Line 68: Line 75:
 
| align="center" | 995
 
| align="center" | 995
 
| align="center" | ANY
 
| align="center" | ANY
| align="center" | SERVER
+
| align="center" | GTW
 
|Access from email clients via POP3S needed by the POP3 proxy functionality.  
 
|Access from email clients via POP3S needed by the POP3 proxy functionality.  
 +
|-
 +
| align="center" | 995
 +
| align="center" | MailStore
 +
| align="center" | GTW
 +
|Access from MailStore Server or MailStore Service Provider Edition to retrieve emails from MailStore Gateway mailboxes.
 
|}
 
|}
  
=== Windows Advanced Firewall ===
+
[[de:Firewall-Konfiguration]]
By executing the following commands in the Windows PowerShell command prompt, the required TCP ports are opened for inbound connections. Outbound connections to any destination are allowed by default.
+
[[en:Firewall Configuration]]
 
 
<source lang="powershell" toolbar="false" gutter="false">
 
# Allow access to MailStore Gateway ports from everywhere
 
netsh advfirewall firewall add rule name="MailStore Gateway" `
 
  action=ALLOW dir=IN protocol=TCP localport="25,110,465,587,995" profile=ANY
 
 
 
# Allow access to MailStore Gateway's web interface from administrator's network 192.0.2.0/24
 
netsh advfirewall firewall add rule name="MailStore Gateway (Web Interface)" `
 
  action=ALLOW dir=IN protocol=TCP localport="443" remoteip="192.0.2.0/24" profile=ANY
 
</source>
 

Latest revision as of 16:33, 22 March 2022

It is highly recommended to protect any MailStore Gateway with appropriate firewall rules. This document should help with setting up the required rules.

Please note: On Windows, the installation process automatically creates an appropriate firewall rule. Therefore the below information is only applicable if other firewall solutions are used.

If MailStore Gateway computer is on a private network, refer to the manual of the router or firewall that connects the private network to the Internet to find out how to set up appropriate port forwarding rules in addition to the firewall rules described in this document.

The table below lists all TCP ports that need to be opened in the firewall when using MailStore Gateway. The following abbreviations are used in the source and target columns of that table:

  • ANY = Any computer from private or public networks
  • ADM = Computer or network used for administration
  • GTW = Computer that hosts MailStore Gateway
Port Source Target Description
25 GTW ANY Access to email servers via SMTP needed by the SMTP proxy functionality.
25 ANY GTW Access from email servers to send emails to MailStore Gateway mailboxes.
Access from email clients via SMTP needed by the SMTP proxy functionality.
80 ANY GTW Access from Let's Encrypt for challenge requests. Required for the Let's Encrypt functionality.
110 GTW ANY Access to email servers via POP3 needed by the POP3 proxy functionality.
110 ANY GTW Access from email clients via POP3 needed by the POP3 proxy functionality.
8450 ADM GTW Access to the Management Console by administrators.
465 GTW ANY Access to email servers via SMTPS needed by the SMTP proxy functionality.
465 ANY GTW Access from email clients via SMTPS needed by the SMTP proxy functionality.
587 GTW ANY Access to email servers via SMTP needed by the SMTP proxy functionality.
587 ANY GTW Access from email clients via SMTP needed by the SMTP proxy functionality.
995 GTW ANY Access to email servers via POP3S needed by the POP3 proxy functionality.
995 ANY GTW Access from email clients via POP3S needed by the POP3 proxy functionality.
995 MailStore GTW Access from MailStore Server or MailStore Service Provider Edition to retrieve emails from MailStore Gateway mailboxes.