2.3  Firewall configuration

Kerio MailServer is usually installed in a local network behind a firewall. In addition to the mailserver's configuration, it is also necessary to perform corresponding additional settings of the firewall.

If the MailServer is to be accessible from the Internet, certain ports have to be opened (mapped) in the firewall. Each mapped port might introduce security problems. Therefore, map ports only for those services which you want to make available from the Internet.

If server is supposed to deliver email directly by DNS MX records, it is necessary to map port 25 (standard port for SMTP service). This setting is required for cases where an MX record for the particular domain is addressed to the server. Any SMTP server on the Internet can connect to your SMTP server to send email to one of its domains.

Now, it is necessary to map ports that will be used for connections out of the local network. Since the security risk is higher here, it is recommended to map only SSL/TLS-secured services. Settings are shown in table 2.1  Services to be allowed on the firewall.

Service (default port) Outgoing connection Incoming connection
SMTP (25) allow allow
SMTPS (465) allow allow
POP3 (110) allow deny
POP3S (995) allow allow
IMAP (143) allow deny
IMAPS (993) allow allow
NNTP (119) allow deny
NNTPS (563) allow allow
LDAP (389) allow deny
LDAPS (636) allow allow
HTTP (80) allow deny
HTTPS (443) allow allow

Table 2.1. Services to be allowed on the firewall