English
Chinese (Simplified)
French
German
Italian
Japanese
Russian
Spanish
Vietnamese
Opening used ports vs allowing an app through windows firewall - Best practice
-
Hello,
In process of migrating to new server.
I already have ports open on the firewall.
Specifically the ports we use, rather not open anything we dont need or use.
My question is, on the Windows firewall side, would it be better to open ports to the server or allow certain apps through firewall? If we were to use apps through firewall, are Mdaemon.exe, WorldClient.exe, AVUpdate.exe, MDSpamD.exe, and WebAdmin.exe, the only apps required? also is there a documentation on why those would need to be allowed for what purpose? I just want to make sure we don't allow apps we don't use on our public IP.
Thank you.
-
I'm not an expert on firewalls. I would open the specific ports that you use rather than allowing specific applications through the firewall. If you configure the firewall to allow mdaemon.exe through the firewall, then any services that are running in MDaemon will accept connections from the internet. For example, if you have the POP3 server running in MDaemon on port 345, then the firewall will allow connections to MDaemon on port 345. This is great if you are trying to use POP3, its not so great if you are not wanting anyone to use POP3. Yes, can just disable POP3 in MDaemon and it won't be an issue. But if anyone ever starts the POP3 service in MDaemon, the firewall should immediately start allowing the traffic. Ultimately, it is going to depend on what works best for you.
MDaemon.exe is the mdaemon service. You can find all the ports that it listens on under Setup / Server Settings / Ports. If you are not using LDAP or Minger, you don't need to open the port for them. Minger uses UDP not TCP.
WorldClient.exe is webmail. It listens on the Webmail port and secure webmail port. Main / Webmail Settings / Web Server, Main / Webmail Settings / SSL & HTTPS
WebAdmin.exe is Remote Adminstration, it listens on the Remote Administration port and secure Remote Administration port. Main / Remote Admin Settings / Settings, Main / Remote Admin Settings / SSL & HTTPS.
WCXMPPServer.exe is the chat server. You can find its ports at Setup / XMPP Server.
AVUpdate.exe does not listen on any ports, it only makes outbound connections.
MDSpamD.exe listens on a port, but you should NOT open the port to the internet. Spam Filter / Spam Daemon (MDSpamD)
If you are blocking outbound connections there is more work to be done if you only allow specific ports, as you will need to open ports to allow the necessary outbound connections. Depending on how your mail server is configured, this means you'll want to allow traffic on any outbound port you are using in MDaemon which can be found at Setup / Server Settings / Ports. You'll also want to allow outbound traffic on ports 80 and 443.
If you are blocking outbound connections and allowing certain apps through the firewall, there are more applications that need to be allowed through. MDUpdater.exe, AVUpdate.exe, SA-Update.exe, etc...
