FirewallDial-up Connection
Quite often, Kerio MailServer is installed on a local network protected by a firewall or directly on the firewall host. The system administrator then has to set several settings.
Ports
If the MailServer is to be accessible from the Internet, certain ports have to be opened (mapped) in the firewall. Generally, any open port means a security hole; therefore, the less mapped ports you have the better.
- When mapping ports for Kerio MailServer the following rules should be followed:
- Port 25 must be mapped if you would like the SMTP server to be accessible from the Internet. This must be done if a MX record for the given domain (or more domains) points to the MailServer. In this case it is necessary to enable anti-spam protection (see chapter Antispam Protection of the SMTP Server), so that the MailServer cannot be misused. Any SMTP server on the Internet can connect to your SMTP server to send email to one of the local domains. For this reason access must not be restricted to a selected IP address group.
- If all incoming mail is to be downloaded from remote POP3 mailboxes, port 25 does not need to be opened.
- Ports for other services (POP3, IMAP, HTTP, LDAP and Secure LDAP) need to be opened if clients wish to access their mailboxes from locations other than the protected local network (typically notebook users). In this case we strongly recommend using only secure versions of all services and opening only the appropriate ports on the firewall (i.e. 663, 443, 993 and 995).
- If subnets or IP address ranges from which remote clients connect can be defined, we recommend allowing access to ports only from these addresses. This is not possible if the user travels world-wide and connects to the Internet randomly using many different ISPs.
Dial-up Connection
If Kerio MailServer and a firewall run on a single computer that is connected to the Internet via a dial-up line, a request may arise asking that the MailServer use a different dial-up connection (e.g. via a different ISP) than the firewall for accessing the Internet. The firewall then has to know both of these connections or it will block the packets going through the connection used by the MailServer (no unknown packet is allowed to pass the firewall neither outgoing or incoming).
Example: WinRoute Pro 4.x will be used as a firewall. The firewall uses the connection DC1 whereas the MailServer uses DC2 (both connections are already present in the system). In the Interface Table settings in WinRoute you need to assign the connection DC1 to line1 and assign the connection DC2 to line2 (use the Settings Advanced Interface Maintenace to add a second line). This cannot be set the other way around because WinRoute only dials line1 on demand.
