Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Categories
Random page
Top Contributors
Recent changes
Contribute
Create a page
How to help
Wiki policy
Adapt videos to articles
Articles in need of work
Help
Frequently asked questions
Join the discord!
Help about MediaWiki
Consumer_Action_Taskforce
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Futotemporarywikipage
(section)
Page
Discussion
English
Read
Edit
Edit source
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
Edit source
View history
Purge cache
General
What links here
Related changes
Special pages
Page information
Cargo data
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Step 6: Add pfSense Firewall Rules (for real) == You don’t need to add ALL these rules below. If you are okay with being connected to your VPN, or on your local network, to receive & send email, the only rule you need to add is rule #1 so you can receive mail which you just did. If you want to allow IP addresses that are NOT connecting to your server via VPN into your mail server, you would create an alias with those IPs using the steps in Lesson 1 above, and then use that alias (called <code>mailserver_trusted_clients</code> in this case) for everything. One instance would be if you use a service like '''Freshdesk''' for customer service & opt to use your own mail server. In this case, you would have to [https://support.freshdesk.com/support/solutions/articles/50000005619-allowlist-nat-ips '''allow their IP addresses to access your server'''] so that Freshdesk can read your customer service inbox, and send emails as your customer service email. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxdmy_tmp_1f1b2c6a.png File:lu55028jxdmy_tmp_31037c49.png File:lu55028jxdmy_tmp_8d77cc05.png File:lu55028jxdmy_tmp_54c8a9f1.png File:lu55028jxdmy_tmp_17e7dded.png File:lu55028jxdmy_tmp_cc025f84.png </gallery> <span id="rule-1-forwarding-smtp-port-25-the-only-rule-you-need-if-you-are-using-openvpn-to-connect-to-your-mailserver"></span> === Rule 1: Forwarding SMTP (Port 25) – the ONLY rule you need if you are using OpenVPN to connect to your mailserver! === * '''Protocol''': IPv4 TCP * '''Source''': Any * '''Destination''': 192.168.5.3 * '''Port''': 25 (SMTP) * '''Description''': NAT Forward Postfix SMTP to Mailcow '''What this rule does:''' * This rule forwards unsecured SMTP traffic on port 25 to the Mailcow server at 192.168.5.3. * SMTP on port 25 is traditionally used for sending emails between email servers. However, it’s not encrypted by default, meaning the data can be sent in plain text. * '''Why this is ALWAYS needed''': Although not as secure as SMTPS, port 25 is required for email delivery between servers on the internet. When your Mailcow server sends or receives emails from other email servers, it typically uses SMTP on port 25. This rule makes sure that your Mailcow server can communicate with other email servers to handle incoming and outgoing email traffic. Keeping port 25 closed means saying goodbye to receiving email. If you’re like me, this might be step 1 to solving a lot of life’s problems… <span id="rule-2-forwarding-smtps-port-465"></span> === Rule 2: Forwarding SMTPS (Port 465) === * '''Protocol''': IPv4 TCP * '''Source''': <code>mailserver_trusted_clients</code> * '''Destination''': 192.168.5.3 * '''Port''': 465 (SMTP/S) * '''Description''': NAT Forward Postfix SMTPS to Mailcow <blockquote>'''What this rule does''': - This rule allows secure SMTP (SMTPS) traffic on port 465 from the clients defined in the <code>mailserver_trusted_clients</code> alias to be forwarded to the Mailcow server running on 192.168.5.3. For instance, if you are integrating self-hosted-email with a service like [https://support.freshdesk.com/support/solutions/articles/195170-using-custom-email-servers-to-set-up-support-emails freshdesk], you would want to open this port so their app can send emails using your server. However, you would not want to open it to the entire world, just for the clients you want. In the case of freshdesk, you might make a <code>mailserver_trusted_clients</code> alias with all of [https://support.freshdesk.com/support/solutions/articles/50000005619-allowlist-nat-ips freshdesk’s IP addresses] so they make it through on port 465, but nobody else does. - SMTP (Simple Mail Transfer Protocol) is the protocol used for sending emails. The S at the end of SMTPS indicates that this is a secure version of SMTP, meaning the communication is encrypted using SSL/TLS. - '''When this is needed''': This rule allows email clients that are NOT connected to your server via VPN to send emails using encryption. If this port is closed, they will not be able to connect to your mail server to send mail. - '''When this NOT needed''': This rule is unnecessary if you are sending mail by connecting to your mailserver via VPN, or locally on your home network. It is unnecessary if you do not have external services such as freshdesk that you integrate with your mailserver. </blockquote> <span id="rule-3-forwarding-submission-port-587"></span> === Rule 3: Forwarding Submission (Port 587) === * '''Protocol''': IPv4 TCP * '''Source''': <code>mailserver_trusted_clients</code> * '''Destination''': 192.168.5.3 * '''Port''': 587 (SUBMISSION) * '''Description''': NAT Forward Postfix Submission to Mailcow <blockquote>'''What this rule does''': - This rule forwards traffic on port 587 to your Mailcow server at 192.168.5.3. </blockquote> * Port 587 is used for email submission by clients (i.e., when you’re sending an email through an email client like Outlook or Thunderbird). This port requires authentication and typically uses STARTTLS to secure the connection. * '''Why this is needed''': Unlike port 25 (which is often used for server-to-server email transmission), port 587 is specifically used for sending emails from a client to the server. When you configure an email client to send messages, you often use port 587 with authentication. This rule makes sure that clients (in this case, the trusted clients defined in <code>mailserver_trusted_clients</code>) can securely submit their emails for sending through Mailcow. * '''When this NOT needed''': This rule is unnecessary if you are sending mail by connecting to your mailserver via VPN, or locally on your home network. It is unnecessary if you do not have external services such as freshdesk that you integrate with your mailserver <span id="rule-4-forwarding-imap-port-143"></span> === Rule 4: Forwarding IMAP (Port 143) === * '''Protocol''': IPv4 TCP * '''Source''': <code>mailserver_trusted_clients</code> * '''Destination''': 192.168.5.3 * '''Port''': 143 (IMAP) * '''Description''': NAT Forward Dovecot IMAP to Mailcow <span id="what-this-rule-does"></span> ==== What this rule does: ==== * This rule forwards IMAP traffic on port 143 to the Mailcow server at 192.168.5.3. * IMAP (Internet Message Access Protocol) is used by email clients to retrieve emails from the mail server. IMAP allows users to keep their emails on the server and access them from multiple devices. * '''Why this is needed''': This rule allows clients to access their emails using the non-encrypted version of IMAP on port 143. It allows clients to view and manage their emails stored on the server without downloading them to their devices. * '''When this NOT needed''': This rule is unnecessary if you are receiving mail by connecting to your mailserver via VPN, or locally on your home network. It is unnecessary if you do not have external services such as freshdesk that you integrate with your mailserver <span id="rule-5-forwarding-imaps-port-993"></span> === Rule 5: Forwarding IMAPS (Port 993) === * '''Protocol''': IPv4 TCP * '''Source''': <code>mailserver_trusted_clients</code> * '''Destination''': 192.168.5.3 * '''Port''': 993 (IMAP/S) * '''Description''': NAT Forward Dovecot IMAPS to Mailcow <span id="what-this-rule-does-1"></span> ==== What this rule does: ==== * This rule forwards secure IMAP traffic (IMAPS) on port 993 to the Mailcow server. * IMAPS is the encrypted version of IMAP. It uses SSL/TLS to secure communication between the email client and the server. * '''Why this is needed''': This rule allows users to securely access their emails stored on the server using IMAP. This is the preferred method for most modern email clients, as it encrypts the communication, making sure that sensitive information like email contents and credentials are protected while being retrieved by the client. * '''When this NOT needed''': This rule is unnecessary if you are receiving mail by connecting to your mailserver via VPN, or locally on your home network. It is unnecessary if you do not have external services such as freshdesk that you integrate with your mailserver <span id="rule-6-forwarding-pop3-port-110"></span> === Rule 6: Forwarding POP3 (Port 110) === * '''Protocol''': IPv4 TCP * '''Source''': <code>mailserver_trusted_clients</code> * '''Destination''': 192.168.5.3 * '''Port''': 110 (POP3) * '''Description''': NAT Forward Dovecot POP3 to Mailcow <span id="what-this-rule-does-2"></span> ==== What this rule does: ==== * This rule forwards POP3 traffic on port 110 to the Mailcow server. * POP3 (Post Office Protocol version 3) is another protocol used to retrieve emails from the server. Unlike IMAP, POP3 typically downloads emails to the local device and removes them from the server. * '''Why this is needed''': This rule allows clients to retrieve emails using POP3. Some users or legacy email clients may prefer to use POP3 if they want to download and store emails locally rather than keeping them on the server. * '''When this NOT needed''': This rule is unnecessary if you are receiving mail by connecting to your mailserver via VPN, or locally on your home network. Also, why are you even thinking of using POP3? Don’t do this. <span id="rule-7-forwarding-pop3s-port-995"></span> === Rule 7: Forwarding POP3S (Port 995) === * '''Protocol''': IPv4 TCP * '''Source''': <code>mailserver_trusted_clients</code> * '''Destination''': 192.168.5.3 * '''Port''': 995 (POP3/S) * '''Description''': NAT Forward Dovecot POP3S to Mailcow <span id="what-this-rule-does-3"></span> ==== What this rule does: ==== * This rule forwards secure POP3 (POP3S) traffic on port 995 to the Mailcow server. * POP3S is the encrypted version of POP3, using SSL/TLS for secure communication. * '''Why this is needed''': This rule enables users to securely retrieve their emails using POP3S. This is preferred over regular POP3 because it makes sure that the email contents and credentials are transmitted securely. * '''When this NOT needed''': This rule is unnecessary if you are receiving mail by connecting to your mailserver via VPN, or locally on your home network. Also why are you even thinking of using POP3? Don’t do this. Use IMAP, POP3 in 2024 is pure insanity. <span id="rule-8-forwarding-managesieve-port-4190"></span> === Rule 8: Forwarding ManageSieve (Port 4190) === * '''Protocol''': IPv4 TCP * '''Source''': <code>mailserver_trusted_clients</code> * '''Destination''': 192.168.5.3 * '''Port''': 4190 * '''Description''': NAT Forward Dovecot ManageSieve to Mailcow <span id="what-this-rule-does-4"></span> ==== What this rule does: ==== * This rule forwards ManageSieve traffic on port 4190 to the Mailcow server. * ManageSieve is a protocol used to manage server-side email filtering rules (such as automated sorting of emails into folders, marking emails as spam, etc.). This is done on the server side rather than through a client-side rule. * '''Why this is needed''': This rule allows trusted clients to create and manage email filtering rules on the server. For example, users can create rules to automatically move incoming emails from a certain sender into a specific folder. It’s useful for managing email organization and automating tasks at the server level. I don’t bother with this, but you can if you want to. <span id="tldr-of-self-hosted-email-firewall-rules"></span>
Summary:
Please note that all contributions to Consumer_Action_Taskforce are considered to be released under the Creative Commons Attribution-ShareAlike 4.0 International (see
Consumer Action Taskforce:Copyrights
for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource.
Do not submit copyrighted work without permission!
To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:
Cancel
Editing help
(opens in new window)
