Difference between revisions of "Firewall Configuration"

[unchecked revision]

[checked revision]

Latest revision as of 16:33, 22 March 2022

It is highly recommended to protect any MailStore Gateway with appropriate firewall rules. This document should help with setting up the required rules.

Please note: On Windows, the installation process automatically creates an appropriate firewall rule. Therefore the below information is only applicable if other firewall solutions are used.

If MailStore Gateway computer is on a private network, refer to the manual of the router or firewall that connects the private network to the Internet to find out how to set up appropriate port forwarding rules in addition to the firewall rules described in this document.

The table below lists all TCP ports that need to be opened in the firewall when using MailStore Gateway. The following abbreviations are used in the source and target columns of that table:

ANY = Any computer from private or public networks
ADM = Computer or network used for administration
GTW = Computer that hosts MailStore Gateway

Port	Source	Target	Description
25	GTW	ANY	Access to email servers via SMTP needed by the SMTP proxy functionality.
25	ANY	GTW	Access from email servers to send emails to MailStore Gateway mailboxes. Access from email clients via SMTP needed by the SMTP proxy functionality.
80	ANY	GTW	Access from Let's Encrypt for challenge requests. Required for the Let's Encrypt functionality.
110	GTW	ANY	Access to email servers via POP3 needed by the POP3 proxy functionality.
110	ANY	GTW	Access from email clients via POP3 needed by the POP3 proxy functionality.
8450	ADM	GTW	Access to the Management Console by administrators.
465	GTW	ANY	Access to email servers via SMTPS needed by the SMTP proxy functionality.
465	ANY	GTW	Access from email clients via SMTPS needed by the SMTP proxy functionality.
587	GTW	ANY	Access to email servers via SMTP needed by the SMTP proxy functionality.
587	ANY	GTW	Access from email clients via SMTP needed by the SMTP proxy functionality.
995	GTW	ANY	Access to email servers via POP3S needed by the POP3 proxy functionality.
995	ANY	GTW	Access from email clients via POP3S needed by the POP3 proxy functionality.
995	MailStore	GTW	Access from MailStore Server or MailStore Service Provider Edition to retrieve emails from MailStore Gateway mailboxes.

@@ Line 2: / Line 2: @@
 It is highly recommended to protect any MailStore Gateway with appropriate firewall rules. This document should help with setting up the required rules.
-<p class="msnote">'''Please note:''' If the server on which MailStore Gateway has been installed is on a private network, refer to the manual of the gateway or firewall that connects the private network to the Internet in order to find out how to set up appropriate port forwarding rules in additional to the firewall rules described in this article.</p>
+<p class="msnote">'''Please note: '''On Windows, the installation process automatically creates an appropriate firewall rule. Therefore the below information is only applicable if other firewall solutions are used.</p>
+If MailStore Gateway computer is on a private network, refer to the manual of the router or firewall that connects the private network to the Internet to find out how to set up appropriate port forwarding rules in addition to the firewall rules described in this document.
 The table below lists all TCP ports that need to be opened in the firewall when using MailStore Gateway. The following abbreviations are used in the source and target columns of that table:
@@ Line 8: / Line 10: @@
 * ANY = Any computer from private or public networks
 * ADM = Computer or network used for administration
-* SERVER = Server that hosts MailStore Gateway
+* GTW = Computer that hosts MailStore Gateway
 {| class="wikitable sortable"
@@ Line 17: / Line 19: @@
 |-
 | align="center" | 25
-| align="center" | SERVER
+| align="center" | GTW
 | align="center" | ANY
 | Access to email servers via SMTP needed by the SMTP proxy functionality.
@@ Line 23: / Line 25: @@
 | align="center" | 25
 | align="center" | ANY
-| align="center" | SERVER
+| align="center" | GTW
-| Access from email servers to sent emails to MailStore Gateway mailboxes.<br/>Access from email client via SMTP needed by the SMTP proxy functionality.
+| Access from email servers to send emails to MailStore Gateway mailboxes.<br/>Access from email clients via SMTP needed by the SMTP proxy functionality.
+|-
+| align="center" | 80
+| align="center" | ANY
+| align="center" | GTW
+| Access from Let's Encrypt for challenge requests. Required for the Let's Encrypt functionality.
 |-
 | align="center" | 110
-| align="center" | SERVER
+| align="center" | GTW
 | align="center" | ANY
 | Access to email servers via POP3 needed by the POP3 proxy functionality.
@@ Line 33: / Line 40: @@
 | align="center" | 110
 | align="center" | ANY
-| align="center" | SERVER
+| align="center" | GTW
-| Access from email client via POP3 needed by the POP3 proxy functionality.<br/> Access from MailStore Server or MailStore Service Provider Edition to retrieve emails from MailStore Gateway mailboxes.
+| Access from email clients via POP3 needed by the POP3 proxy functionality.
 |-
-| align="center" | 443
+| align="center" | 8450
 | align="center" | ADM
-| align="center" | SERVER
+| align="center" | GTW
-| Access to the web console by administrators.
+| Access to the Management Console by administrators.
 |-
 | align="center" | 465
-| align="center" | SERVER
+| align="center" | GTW
 | align="center" | ANY
 | Access to email servers via SMTPS needed by the SMTP proxy functionality.
@@ Line 48: / Line 55: @@
 | align="center" | 465
 | align="center" | ANY
-| align="center" | SERVER
+| align="center" | GTW
-| Access from email client via SMTPS needed by the SMTP proxy functionality.
+| Access from email clients via SMTPS needed by the SMTP proxy functionality.
 |-
 | align="center" | 587
-| align="center" | SERVER
+| align="center" | GTW
 | align="center" | ANY
 | Access to email servers via SMTP needed by the SMTP proxy functionality.
@@ Line 58: / Line 65: @@
 | align="center" | 587
 | align="center" | ANY
-| align="center" | SERVER
+| align="center" | GTW
-| Access from email client via SMTP needed by the SMTP proxy functionality.
+| Access from email clients via SMTP needed by the SMTP proxy functionality.
 |-
 | align="center" | 995
-| align="center" | SERVER
+| align="center" | GTW
 | align="center" | ANY
 |Access to email servers via POP3S needed by the POP3 proxy functionality.
@@ Line 68: / Line 75: @@
 | align="center" | 995
 | align="center" | ANY
-| align="center" | SERVER
+| align="center" | GTW
 |Access from email clients via POP3S needed by the POP3 proxy functionality.
+|-
+| align="center" | 995
+| align="center" | MailStore
+| align="center" | GTW
+|Access from MailStore Server or MailStore Service Provider Edition to retrieve emails from MailStore Gateway mailboxes.
 |}
-=== Windows Advanced Firewall ===
+[[de:Firewall-Konfiguration]]
-By executing the following commands in the Windows PowerShell command prompt, the required TCP ports are opened for inbound connections. Outbound connections to any destination are allowed by default.
+[[en:Firewall Configuration]]
-<source lang="powershell" toolbar="false" gutter="false">
-# Allow access to MailStore Gateway ports from everywhere
-netsh advfirewall firewall add rule name="MailStore Gateway" `
-  action=ALLOW dir=IN protocol=TCP localport="25,110,465,587,995" profile=ANY
-# Allow access to MailStore Gateway's web interface from administrator's network 192.0.2.0/24
-netsh advfirewall firewall add rule name="MailStore Gateway (Web Interface)" `
-  action=ALLOW dir=IN protocol=TCP localport="443" remoteip="192.0.2.0/24" profile=ANY
-</source>