Firewall Usage

As SpamExperts offers SaaS managed email security service, it is essential that the servers are fully accessible at all times without external (network) restrictions. Since SpamExperts is managing a large amount of servers, it's important that the configuration is the same on all systems to allow quick intervention when required. SpamExperts therefore takes care of all security (updates) on the machines, and ensures protection of the ports/services running on the environment. Data on external attacks is collected and used as part of our protection service.

Ports that are open in the environment, are either publicly available (e.g. SMTP, HTTP & IMAP) or restricted by IP by our local firewall. An extra external firewall is not required and should be DISABLED to avoid conflicts with the software. We welcome a full security audit after the system setup is complete.

If your network will not allow you to completely disable an external firewall, we strongly recommend that you choose an alternative network to host the servers. If you nevertheless still wish to run an external firewall besides the firewall we manage for you on the systems, you must ensure the ports listed below are open. Please do note that between version updates the required open ports may change, this will then be shown in the Changelog. If the newly ports are not available within 5 working days, our software may break and would be unsupported until the external issue is resolved.

As administrator of the hardware/network, you are responsible to keep track and ensure the required ports are open before the installation/upgrade is started. In the event of a disrupted service due to an external firewall, a fee may be charged for handling the resulting monitor warning/support. Please ensure that the required ports are always open to avoid such situations. When using NAT (Network Address Translation), which we strongly recommend against, please ensure that the source IP address is identical to the external IP of the server and not the primary IP of the subnet. See more information on the Local Cloud Installation procedure.

Open ports

There should be no firewall active that is obfuscating/altering/removing any of the traffic to or from the SpamExperts servers (including e.g. the SMTP welcome banner). For example certain Cisco devices are known to interfere with SMTP by either having ESMTP inspection enabled, fixup enabled or due to IDS being turned on. All these must be turned off. See What local issues may cause Non-delivery of mail?.

As we have previously mentioned, we will manage the server’s local firewall.

The following ports must be unfiltered and unrestricted:

Incoming & Outgoing

All ports are TCP unless stated otherwise.

  • 80
  • 443
  • 25
  • 143
  • 123 (UDP)
  • 993
  • 3306
  • 10050
  • 873
  • 30443
  • 10045-10049 (TCP/UDP)
  • 1080
  • ICMP should be allowed

Incoming

All ports are TCP unless stated otherwise.

  • 22 (SSH has been IP access restricted by our software already, see more details below)
  • 465
  • 587

Outgoing

All ports are TCP unless stated otherwise.

  • 53 (TCP/UDP)
  • 6568 (UDP)
  • 1600 (UDP)
  • 4121
  • 24441 (UDP)
  • 10051
  • 2703
  • 61380-61399 (TCP/UDP)

SSH port 22

SpamExperts does not believe in security through obscurity, and hence we run the SSH service on port 22. Our software restricts which IP addresses can access the SSH service, and you can manage which IP addresses are authorized as "Super Admin" from the webinterface. We do not support an external firewall blocking port SSH, as that prevents us from collecting data on external attacks and in case of e.g. routing issues may block us from being able to solve issues on the environment. IMPORTANT notice when using an external firewall to restrict port 22 access:

  • in case of issues reaching the system, problems may not be supported by our team
  • we may be unable to monitor the server(s)/service(s) and hence any issues may remain undetected/unresolved
  • our (premium) support contract services do not apply
  • none of the SpamExperts SLAs apply
  • a fee may be charged when support is requested

If you do require as a company policy to restrict SSH port 22 to specific IPs, you need to ensure that any IP listed in /etc/hosts.allow is always authorized for access. In addition, please contact our support to provide a list of monitoring server IP(s) that are in use which are required to be added as well. We do of course welcome any external security audit, and as a security company follow the best practices in ensuring a secure environment. Alternatively please consider using our Hosted Cloud product where we run the infrastructure/networking for you.