Difference between revisions of "Firewall Configuration for Single Server Mode"

[checked revision]

Revision as of 13:40, 25 August 2020

It is highly recommended to protect any MailStore Service Provider Edition service with appropriate firewall rules. This document should help with setting up the required rules. The firewall rules for running the SPE in Multi Server Mode can be found in this document.

Important Notices:

The communication channels described below MUST NOT be intercepted by any kind of email or web proxies that are provided as part of antivirus software or unified threat management gateways.
The Windows Advanced Firewall is activated on any Windows Server installation by default. In order to connect to services (e.g. MailStore Management Console) of the MailStore Service Provider Edition, it is required that the appropriate firewall rules are added (see below).

The table below lists all TCP ports that need to be opened in the firewall when using MailStore Service Provider Edition in single server mode. The following abbreviations are used in the source and target columns of that table:

ANY = Any computer from private or public networks
ADM = Computer or network used for administration
SERVER = Server that hosts MailStore Service Provider Edition

Port	Source	Target	Description
110	SERVER	ANY	Access to email servers for archiving via POP3 (Unencrypted/STARTTLS).
143	SERVER	ANY	Access to email servers for archiving via IMAP (Unencrypted/STARTTLS).
143	ANY	SERVER	IMAP access to archives secured by TLS (STARTTLS) encryption.
389	SERVER	ANY	Access to LDAP servers (including Microsoft Active Directory) using an unencrypted or STARTTLS-encrypted session.
443	SERVER	ANY	Access to Microsoft Exchange servers for archiving via Exchange Web Services (EWS) secured by SSL encryption.
443	SERVER	my.mailstore.com	Usage reporting and license update. Important: DNS hostname MUST be used in firewall rules due to periodically changing IP addresses of my.mailstore.com.
443	ANY	SERVER	HTTPS access to instances used by E-mail Archive Client, Outlook Add-in, and Web Access.
636	SERVER	ANY	Access to LDAP servers (including Microsoft Active Directory) using a SSL encrypted connection.
993	SERVER	ANY	Access to email servers for archiving via IMAP (SSL).
993	ANY	SERVER	IMAP access to archives secured by TLS (SSL) encryption.
995	SERVER	ANY	Access to email servers for archiving via POP3 (SSL).
8470	ADM	SERVER	Web-based access to the MailStore Management Console.
8474	ADM	SERVER	Access to the MailStore Management API.

Windows Advanced Firewall

The Windows Advanced Firewall can easily be re-configured for Single Server Mode. By executing the following commands in the Windows PowerShell command prompt, the required TCP ports are opened for inbound connections. Outbound connections to any destination are allowed by default.

# Allow access to CAS ports from everwhere
netsh advfirewall firewall add rule name="MailStore Service Provider Edition (CAS)" `
  action=ALLOW dir=IN protocol=TCP localport="143,443,993" profile=ANY

# Allow access to MailStore Service Provider Management Console from adminstrator network 192.0.2.0/24
netsh advfirewall firewall add rule name="MailStore Service Provider Edition (MGMT)" `
  action=ALLOW dir=IN protocol=TCP localport="8470" remoteip="192.0.2.0/24" profile=ANY

# Allow access to MailStore Management API from adminstrator network 192.0.2.0/24
netsh advfirewall firewall add rule name="MailStore Service Provider Edition (MGMT)" `
  action=ALLOW dir=IN protocol=TCP localport="8474" remoteip="192.0.2.0/24" profile=ANY

@@ Line 46: / Line 46: @@
 | align="center" | SERVER
 | align="center" | my.mailstore.com
-| Usage reporting and license update
+| Usage reporting and license update.<br/><span class="mswarning">'''Important:''' DNS hostname MUST be used in firewall rules due to periodically changing IP addresses of my.mailstore.com.</span>
 |-
 | align="center" | 443