29.3  Firewall

Quite often, Kerio MailServer is installed on a local network protected by a firewall or directly on the firewall host. To assure connectivity the system administrator then has to set several settings.

Ports

If the MailServer is to be accessible from the Internet, certain ports have to be opened (mapped) in the firewall. Generally, any open port means a security hole; therefore, the less mapped ports you have the better.

When mapping ports for Kerio MailServer the following rules should be followed:

  • Port 25 must be mapped if you would like the SMTP server to be accessible from the Internet. This must be done if an MX record for the given domain (or more domains) points to the MailServer. In this case it is necessary to enable antispam protection (see chapter 13  Antispam control of the SMTP server) and relay control (see chapter 12.2  SMTP server), so that the MailServer cannot be misused. Any SMTP server on the Internet can connect to your SMTP server to send email to one of the local domains. For this reason access must not be restricted to a selected IP address group.

    If all incoming mail is to be downloaded from remote POP3 mailboxes, port 25 does not need to be opened.

  • Ports for other services (POP3, IMAP, HTTP, LDAP and Secure LDAP) need to be opened if clients wish to access their mailboxes from locations other than the protected local network (typically notebook users). In this case we strongly recommend using only secure versions of all services and opening only the appropriate ports on the firewall (i.e. 636, 443, 993, 995).

  • If subnets or IP address ranges from which remote clients connect can be defined, we recommend allowing access to ports only from these addresses. This is not possible if the user travels world-wide and connects to the Internet randomly using many different ISPs.

Dial-up Connection

If Kerio MailServer and a firewall run on the same machine that is connected to the Internet via a dial-up line, a request may arise asking that the mailserver use a different dial-up connection (e.g. via a different ISP) than the firewall for accessing the Internet. The firewall then has to know both of these connections or it will block the packets going through the connection used by the MailServer (no unknown packet is allowed to pass the firewall — neither outgoing or incoming).