Ports: Difference between revisions
No edit summary |
|||
(26 intermediate revisions by 5 users not shown) | |||
Line 2: | Line 2: | ||
__FORCETOC__ | __FORCETOC__ | ||
<div class="col-md-12 ibox-content"> | <div class="col-md-12 ibox-content"> | ||
=Default Ports Used by Zimbra= | = Default Ports Used by Zimbra = | ||
{{KB|{{ZC}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}|}} | {{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}|}} | ||
{{WIP}} | {{WIP}} | ||
You may choose not to allow remote connections to all of | You may choose not to allow remote connections to all of the external ports depending on which services you want to make available. In general, it is best to be restrictive as possible. | ||
==External Access== | == External Access == | ||
These are ports typically available to mail clients. | These are ports typically available to mail clients. | ||
;25 | {| class="wikitable" style="margin-left: 5px; margin-right: auto;" | ||
!Port || Protocol || Zimbra Service || Description | |||
|- | |||
|25 || smtp || mta || incoming mail to postfix | |||
|- | |||
|80 || http || mailbox / proxy || web mail client (disabled by default in 8.0) | |||
|- | |||
|110 || pop3 || mailbox / proxy || POP3 | |||
|- | |||
|143 || imap || mailbox / proxy || IMAP | |||
|- | |||
|443 || https || mailbox / proxy - web mail client || HTTP over TLS | |||
|- | |||
|465 || smtps || mta || Incoming mail to postfix over TLS (Prefered over 587, as 465 is implicit TLS see : https://www.rfc-editor.org/rfc/rfc8314 you can still use both ports) | |||
|- | |||
|587 || smtp || mta || Mail submission over TLS | |||
|- | |||
|993 || imaps || mailbox / proxy || IMAP over TLS | |||
|- | |||
|995 || pop3s || mailbox / proxy || POP3 over TLS | |||
|- | |||
|3443 || https || proxy || User Certificate Connection Port (optional) | |||
|- | |||
|5222 || xmpp || mailbox || Default server port | |||
|- | |||
|5223 || xmpp || mailbox || Default legacy SSL port | |||
|- | |||
|9071 || https || proxy admin console || HTTP over TLS (optional) | |||
|- | |||
|} | |||
==Internal Access== | == Internal Access == | ||
These are ports typically only used by the | These are ports typically only used by the Zimbra system itself. | ||
{| class="wikitable" style="margin-left || 5px| margin-right || auto|" | |||
!Port || Protocol || Zimbra Service || Description | |||
;7025 | |- | ||
;7047 | |389 || ldap || ldap || LC(ldap_bind_url) | ||
|- | |||
|636 || ldaps || ldaps || if enabled via LC(ldap_bind_url) | |||
|- | |||
|3310 || - || mta/clamd || AV content scanning; localhost|''zimbraClamAVBindAddress'' | |||
|- | |||
;7306 | |5269 || xmpp || mailbox || Server-to-Server communications between servers on the same cluster | ||
|- | |||
|7025 || lmtp || mailbox || local mail delivery; ''zimbraLmtpBindAddress'' | |||
|- | |||
|7026 || milter || mailbox || [[Enabling_and_administering_the_Zimbra_milter | zimbra-milter]]; ''zimbraMilterBindAddress'' | |||
|- | |||
|7047 || http || conversion server || Accessed by localhost by default; binds to '*' | |||
;10024 | |- | ||
|7071 || https || mailbox || admin console HTTP over TLS; ''zimbraAdminBindAddress'' | |||
;11211 | |- | ||
|7072 || http || mailbox || ZCS nginx lookup - backend http service for nginx lookup/authentication | |||
|- | |||
|7073 || http || mailbox || ZCS saslauthd lookup - backend http service for SASL lookup/authentication (added in ZCS 8.7) | |||
|- | |||
|7110 || pop3 || mailbox || Backend POP3 (if proxy configured); ''zimbraPop3BindAddress'' | |||
|- | |||
|7143 || imap || mailbox || Backend IMAP (if proxy configured); ''zimbraImapBindAddress'' | |||
|- | |||
|7171 || - || zmconfigd || configuration daemon; localhost | |||
|- | |||
|7306 || mysql || mailbox || LC(mysql_bind_address); localhost | |||
|- | |||
|7307 || mysql || logger || logger (removed in ZCS 7) | |||
|- | |||
|7780 || http || mailbox || spell check | |||
|- | |||
|7993 || imaps || mailbox || Backend IMAP over TLS (if proxy configured); ''zimbraImapSSLBindAddress'' | |||
|- | |||
|7995 || pop3s || mailbox || Backend POP3 over TLS (if proxy configured); ''zimbraPop3SSLBindAddress'' | |||
|- | |||
|8080 || http || mailbox || Backend HTTP (if proxy configured on same host); ''zimbraMailBindAddress'' | |||
|- | |||
|8443 || https || mailbox || Backend HTTPS (if proxy configured on same host); ''zimbraMailSSLBindAddress'' | |||
|- | |||
|8465 || milter || mta/opendkim || OpenDKIM milter service; localhost | |||
|- | |||
|8735 || ng || mailbox || internal mailbox to mailbox communication | |||
|- | |||
| 8736 || ng || mailbox || distributed configuration | |||
|- | |||
|10024 || smtp || mta/amavisd || to amavis from postfix; localhost | |||
|- | |||
|10025 || smtp || mta/master || (no antispam) back to postfix from amavis|opendkim; localhost | |||
|- | |||
|10026 || smtp || mta/amavisd || "ORIGINATING" policy; localhost | |||
|- | |||
|10027 || smtp || mta/master || postjournal | |||
|- | |||
|10028 || smtp || mta/master || content_filter=scan via opendkim; localhost | |||
|- | |||
|10029 || smtp || mta/master || "postfix/archive"; localhost | |||
|- | |||
|10030 || smtp || mta/master || talks to opendkim milter, forwards to 10025|10032; localhost | |||
|- | |||
|10031 || milter || mta/cbpolicyd || cluebringer policyd | |||
|- | |||
|10032 || smtp || mta/amavisd || (antispam) "ORIGINATING_POST" policy | |||
|- | |||
|10663 || - || logger || LC(logger_zmrrdfetch_port); localhost | |||
|- | |||
|23232 || - || mta/amavisd || amavis-services / msg-forwarder (zeromq); localhost | |||
|- | |||
|23233 || - || mta/amavisd || snmp-responder; localhost | |||
|- | |||
|11211 || memcached || memcached || nginx route lookups, mbox cache (calendar, folders, sync, tags); ''zimbraMemcachedBindAddress'' | |||
|- | |||
|} | |||
==System Access== | == System Access and Intra-Node Communication == | ||
; | In a multi-node environment the typical communication between nodes required includes: | ||
; | |||
Please note: this table is a '''WORK IN PROGRESS''' | |||
{| class="wikitable" style="margin-left || 5px| margin-right || auto|" | |||
!Destination || Source(s) || Description | |||
|- | |||
| colspan="3" | '''ALL''' | |||
|- | |||
| 22 || '''*ALL*''' || SSH (system & <u>zmrcd</u>): host management | |||
|- | |||
| udp/53 || '''*ALL*''' || DNS (system ¦ <u>dnscache</u>): name resolution | |||
|- | |||
| colspan="3" | '''Logger''' | |||
|- | |||
| udp/514 || '''*ALL*''' || syslog: system and application logging | |||
|- | |||
| colspan="3" | '''LDAP''' | |||
|- | |||
| 389 || '''*ALL*''' || all nodes talk to LDAP server(s) | |||
|- | |||
| colspan="3" | '''MTA''' | |||
|- | |||
| 25 || ldap || sent email (cron jobs) | |||
|- | |||
| 25 || mbox || sent email (web client, cron, etc.) | |||
|- | |||
| colspan="3" | '''antivirus''' | |||
|- | |||
| 3310 || mbox || [[Enable_the_real-time_attachment_scanning_for_outgoing_mail_sent_via_the_Web_Client | ''zimbraAttachmentsScanURL'']] (not set by default) | |||
|- | |||
| colspan="3" | '''memcached''' | |||
|- | |||
| 11211 || mbox || mbox metadata data cache | |||
|- | |||
| 11211 || proxy || backend mailbox route cache | |||
|- | |||
| colspan="3" | '''Mailbox''' (mbox) | |||
|- | |||
| 80 || proxy || backend proxy http | |||
|- | |||
| 110 || proxy || backend proxy pop3 | |||
|- | |||
| 143 || proxy || backend proxy imap | |||
|- | |||
| 443 || proxy || backend proxy https | |||
|- | |||
| 993 || proxy || backend proxy imaps | |||
|- | |||
| 995 || proxy || backend proxy pop3s | |||
|- | |||
| 7025 || mta || all mta talk to any mbox (LMTP) | |||
|- | |||
| 7047 || mbox || localhost by default; ''zimbraConvertdURL'' | |||
|- | |||
| 7071 || mbox || all mbox talk to any mbox (Admin) | |||
|- | |||
| 7072 || proxy || zmlookup; ''zimbraReverseProxyLookupTarget'' | |||
|- | |||
| 7073 || mta || sasl auth; ''zimbraMtaAuthTarget'' (since ZCS 8.7) | |||
|- | |||
|- | |||
| colspan="3" | '''Zimbra Docs''' | |||
|- | |||
| 8443 || all docs + all mbox || backend https | |||
|} | |||
{{Article_Footer|unknown|4/4/2006}} | {{Article_Footer|unknown|4/4/2006}} | ||
[[Category:Ports]] | [[Category:Ports]] | ||
[[Category:Firewall]] |
Latest revision as of 07:29, 26 August 2022
Default Ports Used by Zimbra
You may choose not to allow remote connections to all of the external ports depending on which services you want to make available. In general, it is best to be restrictive as possible.
External Access
These are ports typically available to mail clients.
Port | Protocol | Zimbra Service | Description |
---|---|---|---|
25 | smtp | mta | incoming mail to postfix |
80 | http | mailbox / proxy | web mail client (disabled by default in 8.0) |
110 | pop3 | mailbox / proxy | POP3 |
143 | imap | mailbox / proxy | IMAP |
443 | https | mailbox / proxy - web mail client | HTTP over TLS |
465 | smtps | mta | Incoming mail to postfix over TLS (Prefered over 587, as 465 is implicit TLS see : https://www.rfc-editor.org/rfc/rfc8314 you can still use both ports) |
587 | smtp | mta | Mail submission over TLS |
993 | imaps | mailbox / proxy | IMAP over TLS |
995 | pop3s | mailbox / proxy | POP3 over TLS |
3443 | https | proxy | User Certificate Connection Port (optional) |
5222 | xmpp | mailbox | Default server port |
5223 | xmpp | mailbox | Default legacy SSL port |
9071 | https | proxy admin console | HTTP over TLS (optional) |
Internal Access
These are ports typically only used by the Zimbra system itself.
Port | Protocol | Zimbra Service | Description |
---|---|---|---|
389 | ldap | ldap | LC(ldap_bind_url) |
636 | ldaps | ldaps | if enabled via LC(ldap_bind_url) |
3310 | - | mta/clamd | zimbraClamAVBindAddress |
5269 | xmpp | mailbox | Server-to-Server communications between servers on the same cluster |
7025 | lmtp | mailbox | local mail delivery; zimbraLmtpBindAddress |
7026 | milter | mailbox | zimbra-milter; zimbraMilterBindAddress |
7047 | http | conversion server | Accessed by localhost by default; binds to '*' |
7071 | https | mailbox | admin console HTTP over TLS; zimbraAdminBindAddress |
7072 | http | mailbox | ZCS nginx lookup - backend http service for nginx lookup/authentication |
7073 | http | mailbox | ZCS saslauthd lookup - backend http service for SASL lookup/authentication (added in ZCS 8.7) |
7110 | pop3 | mailbox | Backend POP3 (if proxy configured); zimbraPop3BindAddress |
7143 | imap | mailbox | Backend IMAP (if proxy configured); zimbraImapBindAddress |
7171 | - | zmconfigd | configuration daemon; localhost |
7306 | mysql | mailbox | LC(mysql_bind_address); localhost |
7307 | mysql | logger | logger (removed in ZCS 7) |
7780 | http | mailbox | spell check |
7993 | imaps | mailbox | Backend IMAP over TLS (if proxy configured); zimbraImapSSLBindAddress |
7995 | pop3s | mailbox | Backend POP3 over TLS (if proxy configured); zimbraPop3SSLBindAddress |
8080 | http | mailbox | Backend HTTP (if proxy configured on same host); zimbraMailBindAddress |
8443 | https | mailbox | Backend HTTPS (if proxy configured on same host); zimbraMailSSLBindAddress |
8465 | milter | mta/opendkim | OpenDKIM milter service; localhost |
8735 | ng | mailbox | internal mailbox to mailbox communication |
8736 | ng | mailbox | distributed configuration |
10024 | smtp | mta/amavisd | to amavis from postfix; localhost |
10025 | smtp | mta/master | opendkim; localhost |
10026 | smtp | mta/amavisd | "ORIGINATING" policy; localhost |
10027 | smtp | mta/master | postjournal |
10028 | smtp | mta/master | content_filter=scan via opendkim; localhost |
10029 | smtp | mta/master | "postfix/archive"; localhost |
10030 | smtp | mta/master | 10032; localhost |
10031 | milter | mta/cbpolicyd | cluebringer policyd |
10032 | smtp | mta/amavisd | (antispam) "ORIGINATING_POST" policy |
10663 | - | logger | LC(logger_zmrrdfetch_port); localhost |
23232 | - | mta/amavisd | amavis-services / msg-forwarder (zeromq); localhost |
23233 | - | mta/amavisd | snmp-responder; localhost |
11211 | memcached | memcached | nginx route lookups, mbox cache (calendar, folders, sync, tags); zimbraMemcachedBindAddress |
System Access and Intra-Node Communication
In a multi-node environment the typical communication between nodes required includes:
Please note: this table is a WORK IN PROGRESS
Destination | Source(s) | Description |
---|---|---|
ALL | ||
22 | *ALL* | SSH (system & zmrcd): host management |
udp/53 | *ALL* | DNS (system ¦ dnscache): name resolution |
Logger | ||
udp/514 | *ALL* | syslog: system and application logging |
LDAP | ||
389 | *ALL* | all nodes talk to LDAP server(s) |
MTA | ||
25 | ldap | sent email (cron jobs) |
25 | mbox | sent email (web client, cron, etc.) |
antivirus | ||
3310 | mbox | zimbraAttachmentsScanURL (not set by default) |
memcached | ||
11211 | mbox | mbox metadata data cache |
11211 | proxy | backend mailbox route cache |
Mailbox (mbox) | ||
80 | proxy | backend proxy http |
110 | proxy | backend proxy pop3 |
143 | proxy | backend proxy imap |
443 | proxy | backend proxy https |
993 | proxy | backend proxy imaps |
995 | proxy | backend proxy pop3s |
7025 | mta | all mta talk to any mbox (LMTP) |
7047 | mbox | localhost by default; zimbraConvertdURL |
7071 | mbox | all mbox talk to any mbox (Admin) |
7072 | proxy | zmlookup; zimbraReverseProxyLookupTarget |
7073 | mta | sasl auth; zimbraMtaAuthTarget (since ZCS 8.7) |
Zimbra Docs | ||
8443 | all docs + all mbox | backend https |