Firewall Configuration
Revision as of 12:13, 22 September 2023 by Ltalaschus (talk | contribs)
It is highly recommended to protect the MailStore Server service with appropriate firewall rules. This document should help with setting up the required rules.
Important Notices:
- The communication channels described below MUST NOT be intercepted by any kind of email or web proxies that are provided as part of antivirus software or unified threat management gateways.
- The Windows Advanced Firewall is activated on any Windows Server installation by default. In order to connect to services (e.g. MailStore Web Access) of the MailStore Server, it is required that the appropriate firewall rules are added (see below). Some rules are automatically created during the installation.
The table below lists all TCP ports that can be utilized by MailStore Server. Not all ports need to be opened in the firewall in every scenario. These are the default ports which may have been altered. The following abbreviations are used in the source and target columns of that table:
- ANY = Any computer from private or public networks
- ADM = Computer or network used for administration
- SERVER = Server that hosts MailStore Server
Port | Source | Target | Description |
---|---|---|---|
80 | Lets' Encrypt | SERVER | Access to the MailStore Server service by Let's Encrypt web services to perform domain validation checks. |
80 | ANY | Certificate Authority | Access to certificate authorities to check certificate revocation status via HTTP. |
110 | SERVER | ANY | Access to email servers for archiving via POP3 (Unencrypted/STARTTLS). |
143 | SERVER | ANY | Access to email servers for archiving via IMAP (Unencrypted/STARTTLS). |
143 | ANY | SERVER | IMAP access to archives secured by TLS (STARTTLS) encryption. |
389 | SERVER | ANY | Access to LDAP servers (including Microsoft Active Directory) using an unencrypted or STARTTLS-encrypted session. |
443 | SERVER | ANY | Access to Microsoft Exchange servers for archiving via Exchange Web Services (EWS) secured by TLS encryption. |
443 | SERVER | ANY | Access to IceWarp Mail Servers for synchronizing and authenticating users via API secured by TLS encryption. |
443 | SERVER | my.mailstore.com | Software activation during installation. Important: DNS hostname MUST be used in firewall rules due to periodically changing IP addresses of my.mailstore.com. |
587 | SERVER | ANY | Access to an email server to send status reports and informational emails. |
636 | SERVER | ANY | Access to LDAP servers (including Microsoft Active Directory) using a TLS encrypted connection. |
993 | SERVER | ANY | Access to email servers for archiving via IMAP (TLS). |
993 | ANY | SERVER | IMAP access to archives secured by TLS encryption. |
995 | SERVER | ANY | Access to email servers for archiving via POP3 (TLS). |
1433 | SERVER | MS SQL Server | Access to MS SQL servers by MailStore for archive store access. |
4040 | SERVER | ANY | Access to Kerio Connect Servers for synchronizing users via API secured by TLS encryption. |
5432 | SERVER | PostgreSQL Server | Access to PostgreSQL servers by MailStore for archive store access. |
8460 | ANY | SERVER | Access used by MailStore Client. |
8462 | ANY | SERVER | Access by Outlook Add-in and Web Access. |
8463 | ADM | SERVER | Access to the MailStore Management API. |