For a correct functioning of the SEPPmail Secure E-Mail Gateway, the following communication paths are to be guaranteed:
Function/ Feature |
Port |
Source |
Target |
Description |
|---|---|---|---|---|
|
Licence Changes Support |
TCP 22 (SSH) |
Appliance |
update.seppmail.ch
support.seppmail.ch |
If access via port 22 is impossible, it is possible to establish the connection via a proxy server (see also System Proxy settings) |
Email communication (Note: When using IP ALIAS adresses, the virtual IP address is only available for receiving. Sending takes place via the physical IP address of the sending system.) |
TCP 25 (SMTP) |
Email server |
Appliance |
Required for sending outgoing emails from the internal email server to the SEPPmail Secure E-Mail Gateway (among others, please also refer to Mail System Relaying). |
Appliance |
Email server |
Required for sending incoming emails from the SEPPmail Secure E-Mail Gateway to the internal email server (please also refer to Mail System Managed Domains Server IP Address). |
||
Internet |
Appliance |
Required for receiving emails directly from the Internet. |
||
Smarthost |
Required for receiving emails via a smarthost. |
|||
Appliance |
Internet |
Required for sending emails directly to the Internet (see Mail System Outgoing server Use built-in mail transport agent). |
||
Smarthost |
Required for sending emails via a smarthost (see Mail System Outgoing server Use the following SMTP server). |
|||
Name resolution |
TCP/UDP 53 (DNS) |
Appliance |
Name server (internal) |
Enables a name resolution via one or more internal DNS servers (see System DNS). |
Name server (external) |
Enables a name resolution via one or more external DNS servers (see System DNS). |
|||
Internet |
Enables a name resolution for the setting Use built-in DNS resolver (see System DNS). |
|||
GINA |
TCP 443 (HTTPS) |
Internet |
Appliance |
Required for producing the SSL-encrypted communication via HTTPS to the SEPPmail Secure E-Mail Gateway, which is used for the GINA technology. |
Administration access |
TCP 8080 (HTTP) and/or TCP 8443 (HTTPS) |
Admin PC (Internet) |
Appliance |
Required to access the web-based administration interface. It is recommended allowing only the SSL encrypted connection (HTTPS) via port TCP/8443.
|
TCP 8445 (HTTPS) |
Optional. Required for the administration via RestAPI. |
|||
|
(optional) |
TCP 80/443/ 873/ 2703 UDP 24441 |
Appliance |
Internet |
Used for updates of the Protection Pack (AntiVirus/AntiSpam) (among others, refer to Mail System Antispam and Block lists). |
Fetchmail (optional) |
TCP 995 (POP3S) 993 (IMAPS) 110 (POP3) 143 (IMAP) |
Appliance |
Internet |
Required if SEPPmail Secure E-Mail Gateway user emails are collected by means of one of the mentioned protocols via Fetchmail (see Mail System Managed Domains Fetch mail from remote POP3 server. Interval in minutes and/or Users Remote POP3). |
Cluster communication (optional) |
TCP 22 (SSH) |
Appliance |
Appliance |
Required for synchronising appliances in the Clusternetwork. (see Clustering Multiple Systems and/or Cluster). |
Frontend |
Backend |
Required for dividing the appliance into function groups (see Frontend/Backend Cluster, GINA Satellite and/or Cluster Add this device as frontend server (no local database)). |
||
Frontend |
Backend |
(new in 13.0.0) Required communication in distributed systems, so that the frontend system and its state can be displayed in the backend system. |
||
TCP 25 (SMTP) |
GINA Frontend |
Email server |
Required for the GINA Satellite. The additional communication relations listed under Email communication in this table are then not required. |
|
Time synchronisation (optional, mandatory in the cluster) |
UDP 123 (NTP) |
Appliance |
Internet |
Required for time synchronisation with time servers on the Internet (see System Time and date Set remote NTP server). |
Name server (internal) |
Required for time synchronisation with time servers on the Internet (see System Time and date Automatically synchronize via NTP). |
|||
System monitoring (optional) |
UDP 161 (snmp) |
internal network |
Appliance |
Required for monitoring the SEPPmail Secure E-Mail Gateway via SNMP (see System SNMP daemon). |
TCP 5666 (NRPE) |
Required for monitoring the SEPPmail Secure E-Mail Gateway via Nagios (see System NRPE daemon). |
|||
Syslog (optional) |
UDP 514 TCP 6514 |
Appliance |
Syslog Server |
Required for forwarding log entries to a syslog server (see System Syslog settings). |
MPKI (optional) |
TCP 443 (HTTPS) |
Appliance |
Internet |
If a Managed Public Key Infrastructure (MPKI) connector is used, access to the certification authority (CA) is established via an HTTPS line. If access via port 443 is impossible, it is possible to establish the connection via a proxy server (see also System MPKI proxy settings)
|
OCSP / CRL checks (optional) |
TCP 443 (HTTPS) 80 (HTTP) |
Appliance |
Internet |
For certificate checks via OCSP / CRL (see System OCSP / CRL check settings), access via Port 443 (in rare cases Port 80) to CA is required. There is an option of a corresponding proxy entry. |
Query of external Key server (optional) |
TCP/UDP 389 (LDAP) and/or TCP/UDP 636 (LDAPS) |
Appliance |
Internet |
Enables LDAP queries to LDAP servers on the Internet which, for example, are operated by many CAs for the provision of public keys (see Mail Processing Ruleset generator Key server). |
LDAP server (internal) |
Enables LDAP queries to internal LDAP servers for querying public keys of internal users, for example for internal email encryption (IME) (see Mail Processing Ruleset generator Key server). |
|||
Key server Internal query (optional) |
TCP/UDP 388,387 (LDAP) and/or TCP/UDP 635 (LDAPS) |
internal network |
Appliance |
Enables LDAP queries to the key server integrated in the appliance for querying the public keys of external communication partners, for example for end-to-end encryption (see Mail Processing Miscellaneous options Enable LDAP server on port 388, 387 and 635 to distribute collected S/MIME certificates to internal users:). |
Key server External query (optional) |
TCP/UDP 1389 (LDAP) and/or TCP/UDP 1636 (LDAPS) |
internal network |
Appliance |
Enables LDAP queries to the key server integrated in the appliance for retrieving the public keys of internal users. These keys can be used, for example, to implement an internal email encryption (see also System Key server). |
Firewall |
Enables LDAP queries to the key server integrated in the appliance for retrieving the public keys of internal users. Among other things (especially when using self-signed certificates), these keys can be made available to external communication partners (see also System Key server). |
|||
Self-Service Password Management (SSPM) (optional) |
TCP 5061 |
Appliance |
Internet |
Used by many SMS gateways for sending SMS via the internet. This is necessary if Self-Service Password Management (SSPM) is set via SMS using an external SMS service. If necessary, the correct port can be requested directly from the provider. |
Rules to ensure the network communication of the SEPPmail Secure E-Mail Gateway
