Ports
Default Ports Used by Zimbra
You may choose not to allow remote connections to all of the external ports depending on which services you want to make available. In general, it is best to be restrictive as possible.
External Access
These are ports typically available to mail clients.
Port | Protocol | Zimbra Service | Description |
---|---|---|---|
25 | smtp | mta | incoming mail to postfix |
80 | http | mailbox / proxy | web mail client (disabled by default in 8.0) |
110 | pop3 | mailbox / proxy | POP3 |
143 | imap | mailbox / proxy | IMAP |
443 | https | mailbox / proxy - web mail client | HTTP over TLS |
465 | smtps | mta | Incoming mail to postfix over TLS (Legacy Outlook only? If possible, use 587 instead) |
587 | smtp | mta | Mail submission over TLS |
993 | imaps | mailbox / proxy | IMAP over TLS |
995 | pop3s | mailbox / proxy | POP3 over TLS |
3443 | https | proxy | User Certificate Connection Port (optional) |
9071 | https | proxy admin console | HTTP over TLS (optional) |
Internal Access
These are ports typically only used by the zimbra system itself.
Port | Protocol | Zimbra Service | Description |
---|---|---|---|
389 | ldap | ldap | |
636 | ldaps | ldaps | (if enabled) |
7025 | lmtp | mailbox | local mail delivery |
7047 | http | conversion server | Accessed by localhost by default; See also zimbraConvertdURL |
7071 | https | mailbox | admin console HTTP over TLS |
7072 | http | mailbox | ZCS Nginx Lookup (backend http service for nginx lookup/authentication) |
7073 | http | mailbox | ZCS saslauthd Lookup (backend http service for SASL lookup/authentication) (added in ZCS 8.7) |
7110 | pop3 | mailbox | Backend POP3 (if proxy configured) |
7143 | imap | mailbox | Backend IMAP (if proxy configured) |
7171 | - | zmconfigd | configuration daemon |
7306 | mysql | mailbox | |
7307 | mysql | logger | logger (removed in ZCS 7) |
7780 | http | mailbox | spell check |
7993 | imaps | mailbox | Backend IMAP over TLS (if proxy configured) |
7995 | pop3s | mailbox | Backend POP3 over TLS (if proxy configured) |
8080 | http | mailbox | Backend HTTP (if proxy configured on same host, disabled by default in 8.0) |
8443 | https | mailbox | Backend HTTPS (if proxy configured on same host) |
8465 | milter | mta/opendkim | OpenDKIM milter service |
10024 | smtp | mta/amavisd | to amavis from postfix |
10025 | smtp | mta/master | opendkim |
10026 | smtp | mta/amavisd | "ORIGINATING" policy |
10027 | smtp | mta/master | postjournal |
10028 | smtp | mta/master | content_filter=scan via opendkim |
10029 | smtp | mta/master | "postfix/archive" |
10030 | smtp | mta/master | 10032 |
10031 | milter | mta/cbpolicyd | cluebringer policyd |
10032 | smtp | mta/amavisd | (antispam) "ORIGINATING_POST" policy |
11211 | memcached | memcached | nginx route lookups, mbox cache (calendar, folders, sync, tags) |
System Access
Port | Protocol | Zimbra Service | Description |
---|---|---|---|
22 | ssh | ||
53 | dns | ||
514 | syslogd | [logger] | (udp) |
Intra-Node Communication
In a multi-node environment the typical communication between nodes required includes:
Please note: this table is a WORK IN PROGRESS
Destination | Source(s) | Description |
---|---|---|
ALL | ||
tcp/22 | *ALL* | zmrcd, SSH for management |
LDAP | ||
tcp/389 | *ALL* | All nodes talk to LDAP server(s) |
Proxy | ||
tcp/11211 | mbox | IMAP folder cache, (other?) |
MTA | ||
tcp/25 | ldap | Sent email (cron jobs) |
tcp/25 | mbox | Sent email (web client, cron, etc.) |
Logger | ||
udp/514 | *ALL* | all nodes talk to logger server |
Mailbox (mbox) | ||
tcp/80 | proxy | backend proxy http |
tcp/110 | proxy | backend proxy pop3 |
tcp/143 | proxy | backend proxy imap |
tcp/443 | proxy | backend proxy https |
tcp/993 | proxy | backend proxy imaps |
tcp/995 | proxy | backend proxy pop3s |
tcp/7025 | mta | all mta talk to any mbox (LMTP) |
tcp/7071 | mbox | all mbox talk to any mbox (Admin) |
tcp/7072 | proxy | zmlookup - zimbraReverseProxyLookupTarget |
tcp/7073 | mta | sasl auth - zimbraMtaAuthTarget (since ZCS 8.7) |