i am setting up an email server behind a Mikroitk router, and would like some advice on proper port configuration.
Since my primary field is system administration, not networking, I would kindly ask for advice if my config is correct and if i perhaps missed sth. Please bare with me.
I set up the mail server and the domain, MX lookup shows all green there.
and a static DNS record to for internal lookup of the domain, for IMAP.
With this config everything works fine i just have some questions and observations.
Observations-questions:
1.Main thing i am seeing is that in NAT you only see traffic on the 25 port and only a small amount (1 packet per email in general regardless of email size). Am i correct in assuming this is only the server to server negotiation, than an established connection is created trough the rest of the email goes? If so is there a way to track on what port the servers are communicating during actual email exchange?
Port 587 never gets touched. The server has TLS enabled and certificate installed and MX toolbox show server is TLS compatible. Is this because of the same reason as above?
Is the configuration safe and sound or did i do some mistakes?
Both rules deal with all packets of all established connections. The difference between the two rules is that the first rule marks connections to skip all the firewall machinery and those packets won’t get counted in any firewall filter rule statistics.
Meaning that the rest of rules (including your rules for SMTP & co) only deal with initial packets for each new connection.
2.) The logic is the same as with answer to question #1 above. However, one has to know what’s port 587 used for … and it’s usually used by mail client software (outlook, thunderbird, …) to send out e-mails. They could use port 25 as well, but using TLS (over port 587) allows to do some client authentication and authorization (which plain SMTP on port 25 does not). This generally helps to fight spammers (but port 25 needs to be configured appropriately, e.g. it has to check SPF records for SMTP peer connecting … etc.).
Usual SMTP<->SMTP traffic normally still uses port 25.
3.) Your rules seem just fine to me. However, I’d suggest you to follow the default nomenclature which uses in-interface-list=WAN (instead of in-interface=) and doesn’t care about dst-address (for most use cases limiting to in-interface(-list) does the same thing). Unless you have more complicated WAN setup (e.g. more than one WAN IP address or multiple ISP lines with load sharing).
Even without fasttrack, NAT tables (/ip firewall nat) deal only with first packet of each connection (you can’t change source or destination in the middle, it wouldn’t work), so that’s what those counters show.
Only reliable standard for SMTP (server to server) communication is port 25. It’s for both plaintext (default) and encrypted (STARTTLS). Port 587 is for client to server communication, and encryption is the same as with port 25. If you’re looking for SMTP port with implicit always-on TLS, there isn’t one. For a while it was port 465, but it never caught up (e-mail related stuff moves with glacial pace, it’s impossible to change anything and expect the whole world to use it sooner than after few decades). Latest development is that 465 is now repurposed as alternative to 587 with implicit TLS, and not used much, because most servers don’t support it.
Thanks to both for the extensive write up. Very much appreciated it clears up a lot.
So the basic gist of it is that server to server happens on 25, than the connection goes into established and is taken over by the default firewall rules.
Also from the reply’s in getting that is simply impossible to tell if the traffic is going trough encrypted channels on SSL or plaintext since 25 can be used for both? And there is no way to force implicit TLS-SSL.
Thank you again i wanted to do a sanity check on settings as i say networking is not my primary field, and i do not want to leave mistakes in the config.
Modern servers try to enable TLS when connecting to other servers. Maybe you could get away with requiring STARTTLS on port 25, if your server software has such option. But you never know when it can be problem.