I'm IP Tables with these rules to allow postfix send and receive with OpenDKIM encryption, but are they too permissive?
I'd prefer to not be a relay bot, or be leaving my server vulnerable.
- I don't need POP3(110) because I'm not storing mail or managing mailboxes..
- No need for secure POP3(995) either.
- I don't need IMAP(143) because I'm not trying to access mail on a remote server.
- No need for secure IMAP(993) either.
- I do need SMTP(25) because I'm sending email,
- and I need secure SMTP(465) —
Rules for OpenDKIM DNS lookups to verify txt signatures via port 53 are okay.
I'm currently using these rules for Postfix
$IPT -A INPUT -p tcp -m multiport --dports 25,465,587 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp -m multiport --dports 25,465,587 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
INPUT 25 is intended to receive and initiate SMTP requests that may be promoted to 587.
NEW makes sense, is ESTABLISHED necessary?
INPUT/OUTPUT 465 was intended to receive SSL/SMTP but apparently its reassigned by IANA to a new service, so I'll remove it.
INPUT 587 is for TLS/SMTP, the encrypted email we want.
NEW makes sense, is ESTABLISHED necessary?
OUTPUT 25 is intended to send plain SMTP
OUTPUT 587 is intended to send TLS/SMTP
NEW makes sense, but does ESTABLISHED?
Any help appreciated…
Best Answer
In all cases, you need to allow
ESTABLISHEDtraffic. Otherwise, any connection attempt will not get completed. This has to be allowed on all chains likeINPUTandOUTPUTandFORWARD(if you are using it).If you don't allow it, you need to double your rules for every allowed connection to be allowed in both directions (connection and its reply and by switching IPs/ports).
Also, one
ESTABLISHEDrule is enough for every chain. You don't need to have one for every IP/port. Here is an example: