POP3, SMTP, IMAP4 enable on Mikrotik routerboard

mktwifi · December 1, 2008, 11:18am

Hi guys,
I do a service scan on Mikrotik routerboard with a software (GFI Lan Guard) and it find POP3, SMTP, IMAP4 service enable on routerboard: why?
I check under IP/service of routeros but I don’t find any smtp,pop3 or imap4 service.

Also with Dude if i try to check a routerboard it find smtp,pop3 and imap4 service; if i try to connect via telnet (telnet ip address 110) I can’t, so i think service isn’t available: is it correct?

Thanks for your help

Best regards

sergejs · December 1, 2008, 3:33pm

Yes, it is correct.
Perhaps your software checks, whether port is open or not and then reports about such service.

normis · December 2, 2008, 6:49am

you have to configure the firewall, so that it blocks such requests. put firewall rules in the input chain, that block everything coming from unknown addresses, and also block access to unused ports. just make sure that you allow things like DNS requests for the router.

mktwifi · December 2, 2008, 8:01am

I use routerboard in bridging mode in a point-to-point wireless link and so I wouldn’t use firewall rules.
Why does Dude software find pop3, smtp and IMAP4 service active in routerboards? Is it possible to disable this services?

Thanks

Best regards

spippan · February 9, 2016, 4:38pm

quite a while here … BUT … i ran into the same curiosity …
despite i have a fw-rule which blocks all ports for the INPUT chain on the gateway interface, nmap shows open ports which have NEVER been opened, used, forwarded etc.

nmap -sT -sU -T4 -v -v -F -Pn [my host’s wan ip from ISP]

Starting Nmap 7.01 ( https://nmap.org ) at 2016-02-09 17:27 CET
Initiating Parallel DNS resolution of 1 host. at 17:27
Completed Parallel DNS resolution of 1 host. at 17:27, 0.00s elapsed
Initiating UDP Scan at 17:27
Scanning home.[myDomainName].at (178.xxx.xx.xxx) [100 ports]
Completed UDP Scan at 17:27, 11.13s elapsed (100 total ports)

Initiating Connect Scan at 17:27
Scanning home.[myDomainName].at (178.xxx.xx.xxx) [100 ports]

Discovered open port 995/tcp on 178.xxx.xx.xxx
Discovered open port 993/tcp on 178.xxx.xx.xxx
Discovered open port 443/tcp on 178.xxx.xx.xxx
Discovered open port 80/tcp on 178.xxx.xx.xxx
Discovered open port 110/tcp on 178.xxx.xx.xxx
Discovered open port 143/tcp on 178.xxx.xx.xxx
Discovered open port 22/tcp on 178.xxx.xx.xxx

Completed Connect Scan at 17:27, 2.36s elapsed (100 total ports)
Nmap scan report for home.[myDomainName].at (178.xxx.xx.xxx)
Host is up, received user-set (0.022s latency).
rDNS record for 178.xxx.xx.xxx: 178.xxx.xx.xxx.wireless.dyn.drei.com
Scanned at 2016-02-09 17:27:03 CET for 13s
Not shown: 100 open|filtered ports, 93 filtered ports
Reason: 193 no-responses
PORT    STATE SERVICE REASON
22/tcp  open  ssh     syn-ack
80/tcp  open  http    syn-ack
110/tcp open  pop3    syn-ack
143/tcp open  imap    syn-ack
443/tcp open  https   syn-ack
993/tcp open  imaps   syn-ack
995/tcp open  pop3s   syn-ack

Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 14.33 seconds
           Raw packets sent: 200 (7.156KB) | Rcvd: 36 (5.102KB)

and here is my firewall setup:

Address Lists (some permanently blocked “china-nets” are not pasted)

[spippan@Cerberus] /ip firewall address-list> print where !dynamic 
Flags: X - disabled, D - dynamic 
 #   LIST                            ADDRESS                         TIMEOUT             
13   ;;; LAN sp-private
     whitelist                       192.168.1.0/24                 
14   ;;; VPN net Cerberus
     whitelist                       10.20.30.0/24                  
17   ;;; daniLAN
     whitelist                       192.168.3.0/24                 
18 X whitelist                       62.218.xxx.xxx/31               
21   ;;; VPN net sp-private
     whitelist                       10.20.31.0/24

filter rules (sensitive data has been altered)

[spippan@Cerberus] /ip firewall filter> print  
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward 

 1    chain=input action=drop protocol=tcp in-interface=ether1-gateway dst-port=53 log=no log-prefix="" 

 2    chain=input action=drop protocol=udp in-interface=ether1-gateway dst-port=53 log=no log-prefix="" 

 3    chain=forward action=drop protocol=udp in-interface=ether1-gateway dst-port=53 log=no log-prefix="" 

 4    chain=forward action=drop protocol=tcp in-interface=ether1-gateway dst-port=53 log=no log-prefix="" 

 5    ;;; ADMIN Blocked via ACL "admin_block"
      chain=forward action=drop src-address-list=admin_block log=no log-prefix="" 

 6    ;;; ADMIN Blocked via ACL "admin_block"
      chain=input action=drop src-address-list=admin_block log=yes log-prefix="" 

 7    ;;; accept WHITELIST ACL input
      chain=input action=accept src-address-list=whitelist log=no log-prefix="" 

 8    ;;; ***allow OpenVPN port
      chain=input action=accept connection-state=new protocol=tcp dst-port=1194 log=no log-prefix="" 

 9    ;;; ***allow WINBOX
      chain=input action=accept protocol=tcp src-address-list=whitelist dst-port=8291 log=no log-prefix="WINBOX_IN" 

10    ;;; ***allow WINBOX
      chain=input action=accept protocol=tcp src-address=62.218.xxx.xxx/27 dst-port=8291 log=no log-prefix="WINBOX_IN" 

11    chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=5d dst-port=22 log=no log-prefix="" 

12    chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-port=22 log=no log-prefix="" 

13    chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 log=no log-prefix="" 

14    chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 log=no log-prefix="" 

15    ;;; ***allow SSH Port
      chain=input action=accept protocol=tcp src-address-list=!ssh_blacklist dst-port=22 log=yes log-prefix="SSH_IN" 

16    ;;; EST./REL.
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

17    chain=forward action=fasttrack-connection connection-state=established,related src-address=10.20.30.0/24 log=no log-prefix="" 

18    chain=forward action=accept src-address=10.20.30.0/24 log=no log-prefix="" 

19    chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 

20    chain=forward action=accept connection-state=established,related log=no log-prefix="" 

21    chain=forward action=accept in-interface=LAN-bridge log=no log-prefix="" 

22    chain=forward action=drop connection-state=!established,related log=no log-prefix="" 

23    chain=input action=accept protocol=icmp limit=1,5:packet log=no log-prefix="" 

24    ;;; DRP invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

25    ;;; DRP if not allowed above
      chain=input action=drop log=no log-prefix=""