9

Doing a nmap on my server, I get this:

25/tcp  open  smtp
80/tcp  open  http
110/tcp open  pop3
143/tcp open  imap
465/tcp open  smtps
587/tcp open  submission
993/tcp open  imaps
995/tcp open  pop3s
  1. I would like to use only secure connections, thus only smtps, imaps and pop3s. Could I disable the unsecured protocols, and expect things to work? What if I'm trying to send an e-mail to a server which doesen't have pop3s?
  2. Why is submission there? It belongs to Postfix, but what it's his purpose? Isn't Postfix using only smtp/s?
  3. I'm using Roundcube to read my e-mail, which is hosted on the same server with Postfix and Dovecot. I'm not using any other e-mail clients. How can I disable imap and imaps from the public? I want only Roundcube to use it.
danator
  • 95
  • 1
  • 1
  • 4

2 Answers2

14

Quite the old question, but my response might be useful for some anyway..

On Debian GNU/Linux 7.6 (wheezy), find version with lsb_release -a, and Dovecot running 2.1.7, find version with dovecot --version, to disable ports, you must edit the file /etc/dovecot/conf.d/10-master.conf.

For example, if you only want to have pop3s (port 995), you should insert port=0 in all the relevant inet_listener sections.

Example code to allow only pop3s:

#/etc/dovecot/conf.d/10-master.conf    

service imap-login {
      inet_listener imap {
        #address = none
        #port = 143
        port=0
      }
      inet_listener imaps {
        #address = none
        #port = 993
        #ssl = yes
        port=0
      }


    service pop3-login {
      inet_listener pop3 {
        #address = none
        #port = 110
        port=0
      }
      inet_listener pop3s {
        #port = 995
        #ssl = yes
      }
    }

Now, restart dovecot with sudo service dovecot restart. You could run a port scan, with nmap against the network interfaces to verify that dovecot is no longer listening on the ports you wanted to disable.

Run nmap scan localhost to scan local host, and nmap scan nnn.nnn.nnn.nnn or nmap scan mail.mydomain.com to scan the public facing network interfaces.

If you did everything as in this example, the ports 110 (pop3), 143 (imap),993 (imaps), should no longer be listed as open.

NordicViking
  • 251
  • 2
  • 4
  • On OpenBSD, to check ports on localhost: `netstat -a | grep LISTEN` – Clint Pachl Mar 08 '18 at 08:59
  • if you do want to close imps/imap or pop/pops you could just modify the conf file and remove it from /etc/dovecot/dovecot.conf ( for centos ) on line protocals = imap pop3. removing pop3 for instance will close your pop(s) and reload instead of restart will reload only the config without hard stop on dovecot Thanks for the inet_listener comment to put to = 0 – gstlouis Feb 05 '20 at 21:39
  • `protocols` configuration parameter is obsoleted. – 71GA Dec 16 '20 at 20:35
1
  1. You could choose which protocol should be enable in the dovecot configuration. The SMTP is completely different from the IMAP/POP server, so there is no interaction between them. Use what you want. You can disable unsecured protocol if you don't use them (it is recommanded)
  2. Submission is an other protocol doing the same thing as SMTPS, but on port 587. Some networks allow SMTPS, some others submission. You can configure your weight clients to use one or other.
  3. If you just want Roundcube, you need to keep imap(s) activated ! But you can firewall the ports only to localhost
Dom
  • 6,628
  • 1
  • 19
  • 24
  • Seems that I cannot send and receive mail only through submission, so I've configured SMTP to enforce TLS. Regarding IMAP, I've bound it to localhost, so it's no longer visible. Thank you for your help! – danator Aug 21 '13 at 20:36