Just a qwk question Multiserver setup etc, does mx1 actually need 80/443 for anything other that Let's Encrypt? webmail is a separate server. I'm just trying to lock it down, seeing lots of traffic hitting those 2 ports. was thing of setting a firewall rule allowing the lets encrypt hosts thru on those ports only (acme-v01.api.letsencrypt.org, acme-staging.api.letsencrypt.org, acme-v02.api.letsencrypt.org, acme-staging-v02.api.letsencrypt.org). TIA Jim..
You should not need to keep it open in MX server even for LE, at least that was how I coded it in the early integration with ISPConfig. Then, the LE script should open the ports only when it needs to validate the domain for MX server while getting the certs, and close them immediately thereafter, both using hook before and aftet LE request. However, the code evolved on ISPConfig and I am not so sure how it is nowadays, so for that you have to check the code itself. Personally, I use dns challenge on mine, even on a web server, tips and tricks I already shared since a very long time ago.
No only that. Also using dns challenge so no clue how it acts nowdays exactly. Lets say it hasn't changed, if you have an external (edge) firewall you would still need those ports to be opened there. Also, if a webserver is installed I'm almost certain a web challenge always will be used. Even when your webserver isn't active.
This should be true, if I remember correctly, when webserver exist, the default is to use webserver to obtain LE certs, and only when it does not exist, standalone mode will be used, at least that was how I coded it originally. Also, if I remember correctly as well, only hooks in standalone mode open and close those ports, before and after obtaining the LE certs, though this may be customized.
Port 80 must be open for LE re-validation; port 443 is not needed. If your system is installed without a web server, then the standalone mode of certbot or acme.sh is being used.
Only things installed is whatever the script installed (haven't looked yet) Just trying to secure things before going into production (on hold until rdns is fixed by isp (a real mess)). As for the ports, I only opened the same ports on my firewall as done in ispc ufw (excluding 22 of course). jim..
To be certain, what is your command of installing MX server? Did you follow this guide: https://www.howtoforge.com/tutorial/ispconfig-multiserver-setup-debian-ubuntu/3/#-installing-ispconfig? There it uses command "wget -O - https://get.ispconfig.org | sh -s -- --no-dns --no-roundcube --no-mailman --use-php=system --use-unbound --interactive" but it does not exclude web server default installation which is apache2, so to confirm, check apache2 on your server, whether that is installed. To exclude it one must uses "--no-web" to tell the installer - "do not use ISPConfig on this server to manage webserver setting and don't install nginx/apache or pureftpd" as prescribed in the autoinstaller guide: https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/ and may be only then the standalone mode will be used as default, with the hooks that I mentioned. You can see the pre and post hook scripts for standalone, where it opens port 80 before obtaining LE certs and closes it afterwards, here: https://git.ispconfig.org/ispconfig/ispconfig3/-/tree/develop/server/scripts.
Confirmed install script is that one (nice that I keep 99% commands in a file per server for troubleshooting lol) and yes (apt list --installed) shows apache 2.4.58 installed and pureftpd 1.0.50_2.
Then acme.sh will use your webserver for renewal challenges, even if the webserver is not active (and thus challenges will fail), and not use the standalone option.
thus port 80 is mandatory then. Okay thanks to ALL who replied for the good info. Having a good understanding of why helps with how I protect at fw level. Jim..
Yes But ... you started the thread mentioning a multiserver setup. That includes dns servers hosting the domain(s) in the mx1 server certificate in question? If so, I would setup the posibility to use dns challenges in ispconfig and alter the certifictate's conf file accordingly. Then you don't need port 80 anymore.
Host: mycompanya has dns on godaddy, with 'a' records for each server 'ns1.mycompanya.com' etc hosted: mycompanyb has ns1.mycompanya.com etc hosted: mycompanyc has ns1.mycompanya.com etc so the cert for mx1.mycompanya.com will be required, that would be where i may have an issue with dns challenge. I really haven't gotten that far ahead yet since I'm still waiting for my revesre pointers to be fixed, right now i'm just looking for issues that need taken care of and watching for security things, thus the port question
If you continue with the current one, yes, as @remkoh confirmed. However, if you redo the vm for MX server, with --no-web option, then Port 80 is not mandatory as far I remember, as acme.sh should also use standalone with the said hooks, (to open when needed and close thereafter, both on getting and renewing it), but as I said, the code evolved, so I cannot confirm this unless I see the current code, which I do not know where it is now, (may be moved to other file) since I cannot see it in the install.php where it used to be. The point is, if you do not want port 80 to be abused, standalone setup and not web server setup, is more appropriate and may be safer.
right now I have 80 open only for LE folks (fqdn's) and hopefully when I'm ready to put mx1 into prod I'll just rerun (have to reread) the script to get cert
Acme.sh supports many dns challenges. Not sure if Godaddy is among those. I host my own dns servers and domains on those and therefor use ispconfig dns challenges.
