PerfectMail™ Antispam/Antivirus is a simple, accurate, and easy to use solution! FOLLOW US :
Toll Free: +1 888-451-3131
+1 905-451-9488

Thursday, November 22, 2012, 16:02

Firewall Setting Requirements

Category: Administration

Solution ID: 00000186

Summary:

What are the recommended firewall settings for a perfectmail antispam server?

Answer:

Port 25 (SMTP) traffic needs to be directed to your PerfectMail product should be forwarded to your PerfectMail product from the Internet.

It is best to create a one-to-one NAT mapping port 25 on the Internet facing IP address and your PerfectMail product. Problems can arise when the incoming SMTP IP address and the outgoing SMTP IP address do not match. In this situation incoming SMTP traffic is properly configured, however the outgoing SMTP traffic is sent on an unexpected port (usually the default outgoing IP address is used).

When sending e-mail to the Internet remote anti-spam servers will verify the domain name, hostname and reverse address of the sending IP address against your DNS records. Often the DNS records are not configured to support the default outbound IP address.

Anti-spam servers will compare the name reported by the server itself (i.e. the hostname), the address record (A record) from DNS and the reverse DNS record (PTR record). Anti-spam servers will score and possibly even reject messages for discrepencies between these records. This is further complicated by firewall port forwarding issues. The best way is if you have a 1-1 NAT for your e-mail so both incoming and outgoing mail use the same IP number. Failing that the names should all match up on the outgoing side of things.

We strongly recommend updating your firewall to restrict all outgoing SMTP (port 25) traffic. Only PerfectMail and other mail servers should be able to send e-mail directly to the Internet. PC's compromised by viruses, Trojans, etc. may send e-mail directly to the Internet which may result in your entire organization being blacklisted by RBL sites such as Spamhaus. (Especially if you have only one Internet facing IP address.)

Following are two examples of how to configure PerfectMail within your firewalled infrastructure.

Firewall Configuration: Green Zone + Internet

If you have a simple firewall configuration, with your internal network (Green Zone) being protected from the Internet, place your PerfectMail product in the internal network (Green Zone) and configure your firewall to allow the following network traffic.

Incoming Ports:

PortTypeProtocolDescription
25TCPSMTPPort forward to Perfectmail for incoming e-mail
443TCPHTTPSPort forward to Perfectmail for remote secure web access (optional)
22TCPSSHPort forward to Perfectmail for technical support (optional)

[Note: Using non-standard ports for support access (i.e. SSH and HTTPS) is acceptable as long as these are port forwarded to the appropriate ports on the PerfectMail server.]

Outgoing Ports:

PortTypeProtocolDescription
25TCPSMTPFor outgoing e-mail
53TCP/UDPDNS/BINDFor DNS look-ups and testing
80TCPHTTPFor website probing
123UDPNTPFor remote Network Time Protocol look-ups
443TCPHTTPSFor website probing
43, 4321TCPwhois, rwhoisFor WhoIs queries

Firewall Configuration: Green Zone + DMZ + Internet

For the configuration you described with PM in the DMZ and your Mail Server and DNS in a Green Zone (protected network). The following ports are required for PerfectMail to function:

If you have a firewall configuration that includes a DMZ, with your internal network (Green Zone) being protected from the Internet, place your PerfectMail product in the DMZ network and configure your firewall to allow the following network traffic.

Between Internet and the DMZ - Incoming Ports:

PortTypeProtocolDescription
25TCPSMTPPort forward to Perfectmail for incoming e-mail
443TCPHTTPSPort forward to Perfectmail for remote secure web access (optional)
22TCPSSHPort forward to Perfectmail for technical support (optional)

[Note: Using non-standard ports for support access (i.e. SSH and HTTPS) is acceptable as long as these are port forwarded to the appropriate ports on the PerfectMail server.]

Between Internet and the DMZ - Outgoing Ports:

PortTypeProtocolDescription
25TCPSMTPFor outgoing e-mail
53TCP/UDPDNS/BINDFor DNS look-ups and testing
80TCPHTTPFor website probing
123UDPNTPFor remote Network Time Protocol look-ups
443TCPHTTPSFor website probing
43, 4321TCPwhois, rwhoisFor WhoIs queries

Between the DMZ and the Green Zone - Incoming Ports, to Green Zone:

PortTypeProtocolDescription
25TCPSMTPPort forward to mail server for incoming e-mail
53TCP/UDPDNS/BINDFor DNS look-ups and testing (unless DNS server is in DMZ)
123UDPNTPFor Network Time Protocol (unless time server is in DMZ)

Between the DMZ and the Green Zone - Outgoing Ports, from Green Zone:

PortTypeProtocolDescription
25TCPSMTPFor outgoing e-mail
443TCPHTTPSFor PerfectMail Web-UI secure access
80TCPHTTPFor PerfectMail Web-UI access (optional)


Tags: antispam, server, secure, access, support, firewall, configuration

See Also:

Link to this article: https://perfectmail.com/kb/firewall_setting_requirements

Updated: Thursday, November 22, 2012, 16:02

-- David Rutherford

Comments

No comments yet.




(optional)

Home

Features

Solutions

Pricing

About PerfectMail

Last modified: 2016-06-21, 10:41

© 1999-2013 PerfectMail