Ports: Difference between revisions

(Added port info for Zimbra Docs.)
(9 intermediate revisions by 2 users not shown)
Line 2: Line 2:
__FORCETOC__
__FORCETOC__
<div class="col-md-12 ibox-content">
<div class="col-md-12 ibox-content">
=Default Ports Used by Zimbra=
= Default Ports Used by Zimbra =
{{KB|{{ZC}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}|}}
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}|}}
{{WIP}}
{{WIP}}


You may choose not to allow remote connections to all of the external ports depending on which services you want to make available.  In general, it is best to be restrictive as possible.
You may choose not to allow remote connections to all of the external ports depending on which services you want to make available.  In general, it is best to be restrictive as possible.


==External Access==
== External Access ==


These are ports typically available to mail clients.
These are ports typically available to mail clients.
Line 23: Line 23:
|143 || imap || mailbox / proxy || IMAP
|143 || imap || mailbox / proxy || IMAP
|-
|-
|443 || https || mailbox / proxy - web mail client ||  HTTP over TLS
|443 || https || mailbox / proxy - web mail client ||  HTTP over TLS
|-
|-
|465 || smtps || mta || Incoming mail to postfix over TLS (Legacy Outlook only? If possible, use 587 instead)
|465 || smtps || mta || Incoming mail to postfix over TLS (Legacy Outlook only? If possible, use 587 instead)
|-
|-
|587 || smtp   || mta  || Mail submission over TLS
|587 || smtp || mta  || Mail submission over TLS
|-
|-
|993 || imaps || mailbox / proxy || IMAP over TLS
|993 || imaps || mailbox / proxy || IMAP over TLS
|-
|-
|995 || pop3s || mailbox / proxy  || POP3 over TLS  
|995 || pop3s || mailbox / proxy  || POP3 over TLS  
|-
|-
|3443 || https || proxy ||User Certificate Connection Port (optional)
|3443 || https || proxy || User Certificate Connection Port (optional)
|-
|5222 || xmpp || mailbox || Default server port
|-
|5223 || xmpp ||  mailbox || Default legacy SSL port
|-
|-
|9071 || https || proxy admin console ||  HTTP over TLS (optional)
|9071 || https || proxy admin console ||  HTTP over TLS (optional)
Line 39: Line 43:
|}
|}


==Internal Access==
== Internal Access ==


These are ports typically only used by the zimbra system itself.
These are ports typically only used by the Zimbra system itself.


{| class="wikitable" style="margin-left ||  5px| margin-right ||  auto|"
{| class="wikitable" style="margin-left ||  5px| margin-right ||  auto|"
!Port || Protocol || Zimbra Service || Description
!Port || Protocol || Zimbra Service || Description
|-
|-
|389 || ldap  || ldap ||
|389 || ldap  || ldap || LC(ldap_bind_url)
|-
|636 || ldaps  || ldaps || if enabled via LC(ldap_bind_url)
|-
|3310 || -    || mta/clamd || AV content scanning; localhost|''zimbraClamAVBindAddress''
|-
|5269 || xmpp || mailbox || Server-to-Server communications between servers on the same cluster
|-
|-
|636 || ldaps || ldaps || (if enabled)
|7025 || lmtp || mailbox || local mail delivery; ''zimbraLmtpBindAddress''
|-
|-
|7025 || lmtp  || mailbox || local mail delivery
|7026 || milter || mailbox || [[Enabling_and_administering_the_Zimbra_milter | zimbra-milter]]; ''zimbraMilterBindAddress''
|-
|-
|7047 || http  || conversion server || Accessed by localhost by default; See also zimbraConvertdURL
|7047 || http  || conversion server || Accessed by localhost by default; binds to '*'
|-
|-
|7071 || https || mailbox || admin console HTTP over TLS
|7071 || https || mailbox || admin console HTTP over TLS; ''zimbraAdminBindAddress''
|-
|-
|7072 || http  || mailbox || ZCS Nginx Lookup (backend http service for nginx lookup/authentication)
|7072 || http  || mailbox || ZCS nginx lookup - backend http service for nginx lookup/authentication
|-
|-
|7073 || http  || mailbox || ZCS saslauthd Lookup (backend http service for SASL lookup/authentication) (added in  ZCS 8.7)
|7073 || http  || mailbox || ZCS saslauthd lookup - backend http service for SASL lookup/authentication (added in  ZCS 8.7)
|-
|-
|7110 || pop3  || mailbox || Backend POP3 (if proxy configured)
|7110 || pop3  || mailbox || Backend POP3 (if proxy configured); ''zimbraPop3BindAddress''
|-
|-
|7143 || imap  || mailbox || Backend IMAP (if proxy configured)
|7143 || imap  || mailbox || Backend IMAP (if proxy configured); ''zimbraImapBindAddress''
|-
|-
|7171 ||  - || zmconfigd || configuration daemon
|7171 ||  -   || zmconfigd || configuration daemon; localhost
|-
|-
|7306 || mysql || mailbox ||
|7306 || mysql || mailbox || LC(mysql_bind_address); localhost
|-
|-
|7307 || mysql || logger || logger (removed in ZCS 7)
|7307 || mysql || logger || logger (removed in ZCS 7)
Line 72: Line 82:
|7780 || http  || mailbox || spell check
|7780 || http  || mailbox || spell check
|-
|-
|7993 || imaps || mailbox || Backend IMAP over TLS (if proxy configured)
|7993 || imaps || mailbox || Backend IMAP over TLS (if proxy configured); ''zimbraImapSSLBindAddress''
|-
|7995 || pop3s || mailbox || Backend POP3 over TLS (if proxy configured); ''zimbraPop3SSLBindAddress''
|-
|-
|7995 || pop3s || mailbox || Backend POP3 over TLS (if proxy configured)
|8080 || http  || mailbox || Backend HTTP  (if proxy configured on same host); ''zimbraMailBindAddress''
|-
|-
|8080 || http  || mailbox || Backend HTTP  (if proxy configured on same host, disabled by default in 8.0)
|8443 || https || mailbox || Backend HTTPS (if proxy configured on same host); ''zimbraMailSSLBindAddress''
|-
|-
|8443 || https || mailbox || Backend HTTPS (if proxy configured on same host)
|8465 || milter || mta/opendkim || OpenDKIM milter service; localhost
|-
|-
|8465 || milter || mta/opendkim || OpenDKIM milter service
|8735 || zextras || mailbox || internal mailbox to mailbox communication
|-
|-
|10024 || smtp || mta/amavisd || to amavis from postfix
| 8736 ||zextras || mailbox || distributed configuration
|-
|-
|10025 || smtp || mta/master || (no antispam) back to postfix from amavis|opendkim
|10024 || smtp || mta/amavisd || to amavis from postfix; localhost
|-
|-
|10026 || smtp || mta/amavisd || "ORIGINATING" policy
|10025 || smtp || mta/master || (no antispam) back to postfix from amavis|opendkim; localhost
|-
|10026 || smtp || mta/amavisd || "ORIGINATING" policy; localhost
|-
|-
|10027 || smtp || mta/master || postjournal
|10027 || smtp || mta/master || postjournal
|-
|-
|10028 || smtp || mta/master || content_filter=scan via opendkim
|10028 || smtp || mta/master || content_filter=scan via opendkim; localhost
|-
|-
|10029 || smtp || mta/master || "postfix/archive"
|10029 || smtp || mta/master || "postfix/archive"; localhost
|-
|-
|10030 || smtp || mta/master || talks to opendkim milter, forwards to 10025|10032
|10030 || smtp || mta/master || talks to opendkim milter, forwards to 10025|10032; localhost
|-
|-
|10031 || milter || mta/cbpolicyd || cluebringer policyd
|10031 || milter || mta/cbpolicyd || cluebringer policyd
Line 100: Line 114:
|10032 || smtp || mta/amavisd || (antispam) "ORIGINATING_POST" policy
|10032 || smtp || mta/amavisd || (antispam) "ORIGINATING_POST" policy
|-
|-
|11211 || memcached || memcached || nginx route lookups, mbox cache (calendar, folders, sync, tags)
|10663 || -    || logger || LC(logger_zmrrdfetch_port); localhost
|}
|-
 
|23232 || -   || mta/amavisd || amavis-services / msg-forwarder (zeromq);  localhost
==System Access==
{| class="wikitable" style="margin-left || 5px| margin-right || auto|"
!Port || Protocol || Zimbra Service || Description
|-
|-
|22 || ssh || ||
|23233 || -    || mta/amavisd || snmp-responder; localhost
|-
|-
|53 || dns || ||
|11211 || memcached || memcached || nginx route lookups, mbox cache (calendar, folders, sync, tags); ''zimbraMemcachedBindAddress''
|-
|-
|514 || syslogd || [logger] || (udp)
|}
|}


== Intra-Node Communication ==
== System Access and Intra-Node Communication ==
In a multi-node environment the typical communication between nodes required includes:
In a multi-node environment the typical communication between nodes required includes:


Line 123: Line 133:
| colspan="3" | '''ALL'''
| colspan="3" | '''ALL'''
|-
|-
| tcp/22 || '''*ALL*''' || zmrcd, SSH for management
| 22 || '''*ALL*''' || SSH (system &amp; <u>zmrcd</u>): host management
|-
| udp/53 || '''*ALL*''' || DNS (system &brvbar; <u>dnscache</u>): name resolution
|-
| colspan="3" | '''Logger'''
|-
|-
| udp/53 || '''*ALL*''' || DNS name resolution (dependent upon system resolver config)
| udp/514 || '''*ALL*''' || syslog: system and application logging
|-
|-
| colspan="3" | '''LDAP'''
| colspan="3" | '''LDAP'''
|-
|-
| tcp/389 || '''*ALL*''' || all nodes talk to LDAP server(s)
| 389 || '''*ALL*''' || all nodes talk to LDAP server(s)
|-
|-
| colspan="3" | '''MTA'''
| colspan="3" | '''MTA'''
|-
|-
| tcp/25 || ldap || sent email (cron jobs)
| 25 || ldap || sent email (cron jobs)
|-
|-
| tcp/25 || mbox || sent email (web client, cron, etc.)
| 25 || mbox || sent email (web client, cron, etc.)
|-
|-
| colspan="3" | '''Memcached'''
| colspan="3" | '''antivirus'''
|-
|-
| tcp/11211 || mbox || mbox metadata data cache
| 3310 || mbox || [[Enable_the_real-time_attachment_scanning_for_outgoing_mail_sent_via_the_Web_Client | ''zimbraAttachmentsScanURL'']] (not set by default)
|-
|-
| tcp/11211 || proxy || backend mailbox route cache
| colspan="3" | '''memcached'''
|-
|-
| colspan="3" | '''Logger'''
| 11211 || mbox || mbox metadata data cache
|-
|-
| udp/514 || '''*ALL*''' || all nodes talk to logger server
| 11211 || proxy || backend mailbox route cache
|-
|-
| colspan="3" | '''Mailbox''' (mbox)
| colspan="3" | '''Mailbox''' (mbox)
|-
|-
| tcp/80 || proxy || backend proxy http
| 80 || proxy || backend proxy http
|-
| 110 || proxy || backend proxy pop3
|-
| 143 || proxy || backend proxy imap
|-
| 443 || proxy || backend proxy https
|-
| 993 || proxy || backend proxy imaps
|-
|-
| tcp/110 || proxy || backend proxy pop3
| 995 || proxy || backend proxy pop3s
|-
|-
| tcp/143 || proxy || backend proxy imap
| 7025 || mta || all mta talk to any mbox (LMTP)
|-
|-
| tcp/443 || proxy || backend proxy https
| 7047 || mbox || localhost by default; ''zimbraConvertdURL''
|-
|-
| tcp/993 || proxy || backend proxy imaps
| 7071 || mbox || all mbox talk to any mbox (Admin)
|-
|-
| tcp/995 || proxy || backend proxy pop3s
| 7072 || proxy || zmlookup; ''zimbraReverseProxyLookupTarget''
|-
|-
| tcp/7025 || mta || all mta talk to any mbox (LMTP)
| 7073 || mta || sasl auth; ''zimbraMtaAuthTarget'' (since ZCS 8.7)
|-
|-
| tcp/7071 || mbox || all mbox talk to any mbox (Admin)
|-
|-
| tcp/7072 || proxy || zmlookup - zimbraReverseProxyLookupTarget
| colspan="3" | '''Zimbra Docs'''
|-
|-
| tcp/7073 || mta || sasl auth - zimbraMtaAuthTarget (since ZCS 8.7)
| 8443 || all docs + all mbox || backend https
|}
|}



Revision as of 18:25, 18 July 2018

Default Ports Used by Zimbra

   KB 1391        Last updated on 2018-07-18  




0.00
(0 votes)


You may choose not to allow remote connections to all of the external ports depending on which services you want to make available. In general, it is best to be restrictive as possible.

External Access

These are ports typically available to mail clients.

Port Protocol Zimbra Service Description
25 smtp mta incoming mail to postfix
80 http mailbox / proxy web mail client (disabled by default in 8.0)
110 pop3 mailbox / proxy POP3
143 imap mailbox / proxy IMAP
443 https mailbox / proxy - web mail client HTTP over TLS
465 smtps mta Incoming mail to postfix over TLS (Legacy Outlook only? If possible, use 587 instead)
587 smtp mta Mail submission over TLS
993 imaps mailbox / proxy IMAP over TLS
995 pop3s mailbox / proxy POP3 over TLS
3443 https proxy User Certificate Connection Port (optional)
5222 xmpp mailbox Default server port
5223 xmpp mailbox Default legacy SSL port
9071 https proxy admin console HTTP over TLS (optional)

Internal Access

These are ports typically only used by the Zimbra system itself.

Port Protocol Zimbra Service Description
389 ldap ldap LC(ldap_bind_url)
636 ldaps ldaps if enabled via LC(ldap_bind_url)
3310 - mta/clamd zimbraClamAVBindAddress
5269 xmpp mailbox Server-to-Server communications between servers on the same cluster
7025 lmtp mailbox local mail delivery; zimbraLmtpBindAddress
7026 milter mailbox zimbra-milter; zimbraMilterBindAddress
7047 http conversion server Accessed by localhost by default; binds to '*'
7071 https mailbox admin console HTTP over TLS; zimbraAdminBindAddress
7072 http mailbox ZCS nginx lookup - backend http service for nginx lookup/authentication
7073 http mailbox ZCS saslauthd lookup - backend http service for SASL lookup/authentication (added in ZCS 8.7)
7110 pop3 mailbox Backend POP3 (if proxy configured); zimbraPop3BindAddress
7143 imap mailbox Backend IMAP (if proxy configured); zimbraImapBindAddress
7171 - zmconfigd configuration daemon; localhost
7306 mysql mailbox LC(mysql_bind_address); localhost
7307 mysql logger logger (removed in ZCS 7)
7780 http mailbox spell check
7993 imaps mailbox Backend IMAP over TLS (if proxy configured); zimbraImapSSLBindAddress
7995 pop3s mailbox Backend POP3 over TLS (if proxy configured); zimbraPop3SSLBindAddress
8080 http mailbox Backend HTTP (if proxy configured on same host); zimbraMailBindAddress
8443 https mailbox Backend HTTPS (if proxy configured on same host); zimbraMailSSLBindAddress
8465 milter mta/opendkim OpenDKIM milter service; localhost
8735 zextras mailbox internal mailbox to mailbox communication
8736 zextras mailbox distributed configuration
10024 smtp mta/amavisd to amavis from postfix; localhost
10025 smtp mta/master opendkim; localhost
10026 smtp mta/amavisd "ORIGINATING" policy; localhost
10027 smtp mta/master postjournal
10028 smtp mta/master content_filter=scan via opendkim; localhost
10029 smtp mta/master "postfix/archive"; localhost
10030 smtp mta/master 10032; localhost
10031 milter mta/cbpolicyd cluebringer policyd
10032 smtp mta/amavisd (antispam) "ORIGINATING_POST" policy
10663 - logger LC(logger_zmrrdfetch_port); localhost
23232 - mta/amavisd amavis-services / msg-forwarder (zeromq); localhost
23233 - mta/amavisd snmp-responder; localhost
11211 memcached memcached nginx route lookups, mbox cache (calendar, folders, sync, tags); zimbraMemcachedBindAddress

System Access and Intra-Node Communication

In a multi-node environment the typical communication between nodes required includes:

Please note: this table is a WORK IN PROGRESS

Destination Source(s) Description
ALL
22 *ALL* SSH (system & zmrcd): host management
udp/53 *ALL* DNS (system ¦ dnscache): name resolution
Logger
udp/514 *ALL* syslog: system and application logging
LDAP
389 *ALL* all nodes talk to LDAP server(s)
MTA
25 ldap sent email (cron jobs)
25 mbox sent email (web client, cron, etc.)
antivirus
3310 mbox zimbraAttachmentsScanURL (not set by default)
memcached
11211 mbox mbox metadata data cache
11211 proxy backend mailbox route cache
Mailbox (mbox)
80 proxy backend proxy http
110 proxy backend proxy pop3
143 proxy backend proxy imap
443 proxy backend proxy https
993 proxy backend proxy imaps
995 proxy backend proxy pop3s
7025 mta all mta talk to any mbox (LMTP)
7047 mbox localhost by default; zimbraConvertdURL
7071 mbox all mbox talk to any mbox (Admin)
7072 proxy zmlookup; zimbraReverseProxyLookupTarget
7073 mta sasl auth; zimbraMtaAuthTarget (since ZCS 8.7)
Zimbra Docs
8443 all docs + all mbox backend https
Verified Against: unknown Date Created: 4/4/2006
Article ID: https://wiki.zimbra.com/index.php?title=Ports Date Modified: 2018-07-18



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search