Which ports must be open for a mail server that supports IMAP, POP3, and SMTP?

Question

I have currently set up a mail server using Postfix and Dovecot.

Before officially going live, I plan to use IMAP, POP3, and SMTP. I intend to keep port 25 (SMTP) closed and only use port 587 (submission) for sending mail, and ports 993 and 995 for receiving mail via IMAP and POP3.

So in total, I would only open ports 587, 993, and 995.

My question is: Can a fully functional mail server be run with only these ports open?

However, after researching on various forums, I found that port 587 is for sending only, and cannot receive mail from other servers. Therefore, it seems that port 25 (SMTP) is essential for receiving emails from other mail servers.

This has left me confused. Should I open port 25 in addition to the three mentioned above, making it a total of four open ports?

Answer 1

My question is: Can a fully functional mail server be run with only these ports open?

Not if you define functionality as "exchanging mail with other domains in both directions". That requires being able to accept incoming connections from other servers on port 25, as well as making outgoing connections to port 25 of other servers.

In short, port 25 is the generally agreed inter-domain "mail exchange" port. There's no way to request other domains to deliver you mail over different ports (aside from individual 1-to-1 agreements).

Meanwhile ports 465/587 (your choice) are the "mail submission" ports, where client apps inject new messages for the server to deliver. These ports generally require authentication before any mail can be submitted, which makes them unsuitable for delivery from outside – indeed having two distinct security policies is the entire point of them being separated from port 25. The submission ports might also apply different SPF/DKIM handling compared to the exchange port.

All of 25/465/587 are still the exact same Postfix implementing the same SMTP, so the exploit risk is the same regardless of the total number of ports (and general risk is probably lower due to having clearly delineated auth/unauth handling than if you had just one port).

(Though you can have Dovecot accept mail submission nowadays and pass it to Postfix internally, that way Postfix would only need to handle unauthenticated public service while Dovecot would take care of all client-facing service. I've not yet tried this option myself.)

Similarly, ports (143/)993 and (110/)995 "for receiving mail via IMAP and POP3" are specifically for receiving mail from your server into client apps; not for receiving from other domains into your server.

(I would say that a mail server is still fully functional without POP3, and/or possibly even without IMAP. If it can exchange mail then it's a mail server, no matter how you're accessing it.)

Answer 2

Only TCP port 25 is used for delivering messages between message transfer agents (MTA) i.e. from SMTP server to another. There, the sending SMTP server acts as a client that contacts the receiving SMTP server. You cannot receive messages without inbound tcp/25 open nor send messages without outbound tcp/25.

Furthermore, since RFC 8314 (January 2018) cleartext had been considered obsolete:

• Implicit TLS for SMTP Submission: TLS on port 465 has superseded STARTTLS on 587.
• Implicit TLS for IMAP TLS on port 993 has superseded STARTTLS on 143.
• Implicit TLS for POP TLS on port 995 has superseded STARTTLS on 110.

From these, you already got IMAP and POP correctly, but you should replace STARTTLS submission with implicit TLS submission.

Conclusion: for your use case, you would need TCP ports 25, 465, 993 & 995 open.