Network & Firewall Configuration
General Network and Firewall setup
This is an example network diagram for deploying the Mailserver.
To configure the firewall, you need the following rules in the firewall
| source | destination | port | description | |
|---|---|---|---|---|
| smtp | any | 10.0.2.11 | 25 | smtp for incoming mail delivery |
| https | any | 10.0.2.11 | 443 | https (for the webmail) is allowed from anywhere |
| pop3 | any | 10.0.2.11 | 110 | pop3 (if required) |
| imap | any | 10.0.2.11 | 143 | imap (if required) |
| smtps | any | 10.0.2.11 | 465 | smtps for authenticated email relay (submission is preferred for authenticated email relay and both are supported) |
| submission | any | 10.0.2.11 | 587 | submission for authenticated email relay |
| pop3s | any | 10.0.2.11 | 993 | pop3s (pop3 with SSL, if required) |
| imaps | any | 10.0.2.11 | 995 | imaps (imap with SSL, if required) |
| DNS | 10.0.2.11 | DNS server | 53 | The appliance needs DNS |
| NTP | 10.0.2.11 | NTP server(s)/any | 123(udp) | It's nice to keep the clock automatically synchronized |
| 10.0.2.11 | any / email server | 25 | The appliance needs to send emails, either via an email server or directly | |
| updates | 10.0.2.11 | any | 80 & 443 | The appliance downloads updates over http and https |
| admin | 10.0.1.0/24 | 10.0.2.11 | 22 | Use specific management ip's if you can for ssh access to the appliance |
| webadmin | 10.0.1.0/24 | 10.0.2.11 | 4200 | Use specific management ip's if you can for webadmin access to the appliance |
In this example you will also need to configure the firewall for address translation - translating a public address to the private 10.0.2.11 address.
DNS
DNS is what determines where email should be delivered, specifically the MX record for your domain is what's determining where to send emails for a particular domain.
Using tools like nslookup and dig, it is possible to view the DNS settings, online versions are available for instance at http://www.iptools.com/. And the following is an example output for the MX records for example.com.
; <<>> DiG 9.3.4-P1.1 <<>> -t MX example.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11962 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;example.com. IN MX ;; ANSWER SECTION: example.com. 21451 IN MX 1 mail.example.com. ;; AUTHORITY SECTION: example.com. 21451 IN NS ns1.example.com. example.com. 21451 IN NS ns2.example.com. ;; ADDITIONAL SECTION: ns1.example.com. 21451 IN A 192.1.1.1 ns2.example.com. 21451 IN A 192.1.1.2 ;; Query time: 1 msec ;; SERVER: 69.56.222.10#53(69.56.222.10) ;; WHEN: Mon Jan 19 22:21:33 2009 ;; MSG SIZE rcvd: 150
Looking at this example we can see that email for example.com should be delivered to mail.example.com. This needs to match the configuration for each domain that the mailserver is supposed to receive mail for, and the DNS server needs to be configured first with the MX record, and then the A record for the mailserver (mail.example.com in the example above). Please refer to the documentation for the DNS server how to do this.
Using the Mailserver with Dynamic DNS
This definitely possible and following on from the example above - it's possible to configure the MX record for example.com to point to myname.homeip.net and then using the Dynamic DNS configuration set myname.homeip.net to the current ip address of the Mailserver.
A slight warning with this setup. A lot of mailservers on the Internet lists home ip ranges as a likely source of spam. If you're using the mailserver on your home network - it might be better to relay outgoing emails via the ISP's mailserver to avoid being blocked as a potential spammer.