Hello. I set new fresh server using Perfect Server based on Ubuntu 18.04 with apache. I would like to know: 1. What is "open relay" mail server? Is that server with all opened ports or something? 2. Can I block port 25 without consequences? 3. Which ports should I open (I am going to use ufw): a) ftp 21 + passive port range configured in pureftp b) www 80, 443 c) pop3 - 110, 995 d) imap - 143, 993 e) smtp - 587, 465, 25 - does this port is used for between servers communication or can be block? f) I am going to have there few node servers, so 3000 - 3010 ports also?
Use wikipedia: https://en.wikipedia.org/wiki/Open_mail_relay Short answer: No. Long answer: services trying to use port 25 can no longer work. You need to open those ports that you need. I do not know what those are. I'm sure you can find in Wikipedia the ports those services use. That point f) I do not understand. Do you have some unnamed service that uses those ports?
1. Thank you, I thought open relay means that server is not enough secured. 2. Ok, I can't block it but I have on the server two ports for smtp - 587 and 465. Where is used 25? 3. I wrong asked the question. I mean if I would open ports from my first post, was it be enough to provide working of services like ftp, mail, www for clients? f) Yes, I will have there some node js applications. Node server will use specific port and it will use ProxyPass in apache vhost file to redirect frontend to specific domain which use this apache vhost. Should I open these ports in firewall to make working of node servers? PS Moreover I suppose I should open 8080 port as ISP use it and then enable ufw in ISP setup. Am I right?
1. Thank you, I thought open relay means that server is not enough secured. 2. Ok, I can't block it but I have on the server two ports for smtp - 587 and 465. Where is used 25? 1. it does. it means that anyone, from anywhere can send any email they want through your mailserver, using any source address, and any destination address. if your mailserver is an open relay it won't take long for it to stop sending mail to almost every other mailserver, simply because it'll be on a load of blacklists. you secure your server with various sender/recipient/domain restrictions. 2. you have 3 ports for smtp 25, 465, and 587. typically 465 and 587 would be for authenticated access, and ideally, ssl or tls encryption. customer's would provide username/password in order to send mail, unauthenticated mail would get rejected. port 25 is where other mailservers would connect to pass mail from their mail queue to your server. typically your server would only accept mail for domains you are responsible for. if you are responsible for eg example.com and example.net, it would only accept mail for *@example.com/net. if it accepted mail for *@gmail.com, your server would then have to try to connect to gmail to pass that email to their servers. making your server a relay server.
Thank you guys. On the website from above link I see that port 20 should be opened. I thought that better for ftp data is set passive port range and unlock them in firewall - active vs passive mode. PS I suppose that website should contains also 465 port. Moreover this list of ports available to open should contain also 10024, 10025, 10026, which are used by amavisd/postfix.
Or 587 with TLS (preferred). No, those ports are only used by the server itself, they do not accept connections from the internet, and hence do not need to be allowed in your firewall rules. Same for your nodejs ports.
Thank you for advice. I will do as you said. Btw not open 465? Could you tell me why 587 with TLS is better than 465? I would like to extend my knowledge.
This is my rambling, with no references, and possibly inaccurate, but the ssl on port 465 is an older setup, deprecated by port 587, in a "get something working, then do it right" fashion. Some older equipment/clients only support port 465 and it has to be used, but those are pretty few, and I always use port 587 when available, which is the official mail submission port.
It is the e-mail server that uses port 587, not a website. Unless you have mucked about in the settings, but that would break e-mail I believe.
