Postfix and Dovecot opened ports

dovecotpostfix

Doing a nmap on my server, I get this:

25/tcp  open  smtp
80/tcp  open  http
110/tcp open  pop3
143/tcp open  imap
465/tcp open  smtps
587/tcp open  submission
993/tcp open  imaps
995/tcp open  pop3s

I would like to use only secure connections, thus only smtps, imaps and pop3s. Could I disable the unsecured protocols, and expect things to work? What if I'm trying to send an e-mail to a server which doesen't have pop3s?
Why is submission there? It belongs to Postfix, but what it's his purpose? Isn't Postfix using only smtp/s?
I'm using Roundcube to read my e-mail, which is hosted on the same server with Postfix and Dovecot. I'm not using any other e-mail clients. How can I disable imap and imaps from the public? I want only Roundcube to use it.

Best Answer

You could choose which protocol should be enable in the dovecot configuration. The SMTP is completely different from the IMAP/POP server, so there is no interaction between them. Use what you want. You can disable unsecured protocol if you don't use them (it is recommanded)
Submission is an other protocol doing the same thing as SMTPS, but on port 587. Some networks allow SMTPS, some others submission. You can configure your weight clients to use one or other.
If you just want Roundcube, you need to keep imap(s) activated ! But you can firewall the ports only to localhost

Related Solutions

Mysql – Dovecot handshake failure, on Postfix success

You have actually disabled SSLv2, SSLv3, and TLSv1.0 in dovecot.

ssl_protocols = !SSLv2 !SSLv3 !TLSv1
ssl_cipher_list = HIGH:!SSLv2:!SSLv3:!TLSv1.0:!aNULL:!MD5

This is a problem because some clients don't yet speak TLSv1.1/TLSv1.2, your only remaining choices.

Try not disabling TLSv1.0 and see if you get any farther.

Postfix – SMTPS and Submission Confusion Explained

edit: This answer is based on RFC-6409 and is no longer correct, see the newer RFC-8314

Port 465 was used for SMTP connections secured by SSL. However, using that port for SMTP has been deprecated with the availability of STARTTLS: "Revoking the smtps TCP port" These days you should no longer use Port 465 for SMTPS. Instead, use Port 25 for receiving mails for your domain from other servers, or port 587 to receive e-mails from clients, which need to send mails through your server to other domains and thus other servers.

As an additional note, port 587 however is dedicated to mail submission - and mail submission is designed to alter the message and/or provide authentication:

offering and requiring authentication for clients which try to submit mails
providing security mechanisms to prevent submission of unsolicited bulk mail (spam) or infected mails (viruses, etc.)
modify the mail to the needs of an organisation (rewriting the from part, etc.)

Submission to port 587 is supposed to support STARTTLS, and thus can be encrypted. See also RFC#6409.

Best Answer

Related Solutions

Mysql – Dovecot handshake failure, on Postfix success

Postfix – SMTPS and Submission Confusion Explained

Related Topic