[SOLVED] What to confirm firewall ports and client settings

[yonatan]

If I want to offer external access to my Zimbra server with the web client and IMAP I need to open these two ports:

HTTPS 443
IMAP SSL 993

However, I'm not sure about SMTP. Is it enought to open port 25 or should I also open 587? Can someone please explain.

Finally, client mail application settings.

This is going to sound silly, but in a single server setup am I correct that the incoming and outgoing mail servers are the same, i.e. mail.mydomain.com? I was looking at my personal Apple me.com setup and the servers are different, i.e. mail.me.com and smtp.me.com.

Also, should the connection for outgoing mail use SSL and/ or authentication or neither?

Thanks

[phoenix]

However, I'm not sure about SMTP. Is it enought to open port 25 or should I also open 587? Can someone please explain.

Port 25 (SMTP port) is is the port that MTAs (mail servers) communicate by, port 587 is the Submission port that c;ients use to submit mail to your server for a local user or for relay to another server.

This is going to sound silly, but in a single server setup am I correct that the incoming and outgoing mail servers are the same, i.e. mail.mydomain.com? I was looking at my personal Apple me.com setup and the servers are different, i.e. mail.me.com and smtp.me.com.

It should be the same whether it's a single or multiple server, what you've mentioned here is just a DNS entry to point the client at the location of your server (although it may also be a different outbound only server).

Also, should the connection for outgoing mail use SSL and/ or authentication or neither?

What do you mean by 'outgoing mail'? If you mean my sent by a client connected to your computer then the setting for SSL etc. is up to you (the Admin).

[yonatan]

Port 25 (SMTP port) is is the port that MTAs (mail servers) communicate by, port 587 is the Submission port that c;ients use to submit mail to your server for a local user or for relay to another server.

Ok, let me see if I got this. Port 25 (SMTP) definitely needs to be open. The submission port (587) is for users on mydomain.com when they use a mail application. So, if I don't open 587 then my users will not be able to send mail?

What do you mean by 'outgoing mail'? If you mean my sent by a client connected to your computer then the setting for SSL etc. is up to you (the Admin).

Sorry phoenix. What I meant was when I setup a user's mail application, i.e. Apple Mail.app for the field "Outgoing mail server (SMTP):" I write mydomain.com. My question was whether this connection should also use SSL otherwise email submitted from my users to my Zimbra server is not secure, right?

[phoenix]

So, if I don't open 587 then my users will not be able to send mail?

That would be true for user outside your LAN.

My question was whether this connection should also use SSL otherwise email submitted from my users to my Zimbra server is not secure, right?

I understood the question, the decision on whether you use SSL is yours and the connection won't be secure if you don't use SSL (believe it or not, some people don't ).

[yonatan]

Just got my internet connection back! ISP's DNS servers down

That would be true for user outside your LAN.

Can you please explain why a user on the LAN would be able to send, but not a user on the WAN.

I understood the question, the decision on whether you use SSL is yours and the connection won't be secure if you don't use SSL (believe it or not, some people don't ).

Sure I understand. Obviously, I'm looking to secure the communication as much as possible and reasonable. The point about some people not using SSL is interesting as my current email hosting provider, e.g. ISP specifically says not to enable SSL on the outgoing mail server connection.

[phoenix]

Can you please explain why a user on the LAN would be able to send, but not a user on the WAN.

You've already answered that yourself, if the port isn't open they won't be able to connect from outside the LAN to send mail whereas the LAN user should be able to connect and can send mail.

Sure I understand. Obviously, I'm looking to secure the communication as much as possible and reasonable. The point about some people not using SSL is interesting as my current email hosting provider, e.g. ISP specifically says not to enable SSL on the outgoing mail server connection.

There is no reason not to enable SSL for any connection on the internet and as far as I'm concerned it's irresponsible to not use it.

[yonatan]

You've already answered that yourself, if the port isn't open they won't be able to connect from outside the LAN to send mail whereas the LAN user should be able to connect and can send mail.

Hehe, sometimes it's easier to just pick up the phone and call

Let me try to clear up the confusion. Let's make it easy and say that on the LAN there are no firewall restrictions e.g. ports 25 and 587 as well as others are open. At the moment a user's mail application is configured to send mail on port 25. Is this incorrect? Should all sent mail go to 587?

[phoenix]

Hehe, sometimes it's easier to just pick up the phone and call

Let me try to clear up the confusion. Let's make it easy and say that on the LAN there are no firewall restrictions e.g. ports 25 and 587 as well as others are open. At the moment a user's mail application is configured to send mail on port 25. Is this incorrect?

Strictly speaking, yes, that's incorrect - all mail from a client connection (i.e. your users Outlook, Thunderbird etc.) should be sent via port 587. There are plenty of examples on the internet that allow sending via port 25.

Should all sent mail go to 587?

That would be my advice, teach your users some good email practice.

[yonatan]

Strictly speaking, yes, that's incorrect - all mail from a client connection (i.e. your users Outlook, Thunderbird etc.) should be sent via port 587. There are plenty of examples on the internet that allow sending via port 25.

That would be my advice, teach your users some good email practice.

phoenix you're a star! I will make the necessary changes ASAP!

[SpaceBass]

I'm using port 25 only, with ssl, internally and externally.
Considering migrating to 587 after reading this and as the result of some outbound 25 blocking that I'm seeing elsewhere.