Network Settings¶

Configure network interfaces, ports, firewall rules, and connection settings for Mailborder.

Network Interfaces¶

Listening Interfaces¶

Configure which network interfaces Mailborder binds to.

SMTP (Port 25):

# Listen on all interfaces (default)
sudo mb-config set network.smtp.listen "0.0.0.0"

# Listen on specific IP only
sudo mb-config set network.smtp.listen "203.0.113.10"

# Listen on multiple IPs
sudo mb-config set network.smtp.listen "203.0.113.10,203.0.113.11"

Web Interface (Port 443):

# Listen on all interfaces
sudo mb-config set network.https.listen "0.0.0.0"

# Specific IP only (more secure)
sudo mb-config set network.https.listen "203.0.113.10"

IPv6 Support¶

Enable IPv6 networking:

# Enable IPv6
sudo mb-config set network.ipv6.enabled true

# IPv6 SMTP listening
sudo mb-config set network.smtp.listen_ipv6 "::"

# IPv6 HTTPS listening
sudo mb-config set network.https.listen_ipv6 "::"

Network Ports¶

SMTP Ports¶

Standard SMTP (Port 25):

sudo mb-config set network.smtp.port 25

Submission Port (Port 587):

For authenticated email submission:

sudo mb-config set network.submission.enabled true
sudo mb-config set network.submission.port 587
sudo mb-config set network.submission.require_auth true
sudo mb-config set network.submission.require_tls true

Custom SMTP Port:

# Non-standard port (e.g., ISP blocks port 25)
sudo mb-config set network.smtp.port 2525

Web Interface Ports¶

HTTPS (Port 443):

sudo mb-config set network.https.port 443

HTTP (Port 80):

HTTP redirect to HTTPS:

sudo mb-config set network.http.enabled true
sudo mb-config set network.http.port 80
sudo mb-config set network.http.redirect_to_https true

Custom HTTPS Port:

sudo mb-config set network.https.port 8443

Service Ports¶

Internal Services (Unix Sockets):

Default: All internal communication uses Unix sockets (no network exposure).

TCP Sockets (Optional for Clustering):

# Enable TCP for remote connections
sudo mb-config set network.rpcd.tcp.enabled true
sudo mb-config set network.rpcd.tcp.port 9000
sudo mb-config set network.rpcd.tcp.bind "127.0.0.1"  # localhost only

# Require authentication
sudo mb-config set network.rpcd.tcp.require_auth true
sudo mb-config set network.rpcd.tcp.api_key "your-secure-api-key"

Firewall Configuration¶

Required Firewall Rules¶

Inbound (from Internet): - Port 25/tcp (SMTP) - Port 443/tcp (HTTPS admin interface) - Port 80/tcp (HTTP redirect, optional)

Outbound (to Internet): - Port 25/tcp (SMTP to destination servers) - Port 53/udp (DNS) - Port 80/tcp (Signature updates) - Port 443/tcp (Signature updates, license validation)

Internal Only: - Port 3306/tcp (MariaDB) - localhost - Port 6379/tcp (Redis) - localhost - Unix sockets - localhost

UFW (Ubuntu Firewall)¶

Enable UFW:

sudo ufw enable

Allow Required Ports:

# SMTP
sudo ufw allow 25/tcp

# HTTPS
sudo ufw allow 443/tcp

# HTTP (optional)
sudo ufw allow 80/tcp

# SSH (for remote management)
sudo ufw allow 22/tcp

Restrict Admin Interface:

# Allow HTTPS only from specific IP/network
sudo ufw delete allow 443/tcp
sudo ufw allow from 203.0.113.0/24 to any port 443 proto tcp

View Rules:

sudo ufw status verbose

iptables¶

View Rules:

sudo iptables -L -n -v

Allow SMTP:

sudo iptables -A INPUT -p tcp --dport 25 -j ACCEPT

Allow HTTPS:

sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Restrict Admin Interface:

# Allow HTTPS only from specific network
sudo iptables -A INPUT -p tcp --dport 443 -s 203.0.113.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j DROP

Save Rules:

sudo iptables-save > /etc/iptables/rules.v4

fail2ban Integration¶

Automatic blocking of abusive IPs.

Enable fail2ban:

sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Configure Mailborder Jails:

Create /etc/fail2ban/jail.d/mailborder.conf:

[mailborder-auth]
enabled = true
port = https
filter = mailborder-auth
logpath = /var/log/mailborder/rpcd.log
maxretry = 5
findtime = 600
bantime = 3600

[mailborder-smtp]
enabled = true
port = smtp
filter = mailborder-smtp
logpath = /var/log/mailborder/postfix.log
maxretry = 10
findtime = 300
bantime = 3600

Create filters in /etc/fail2ban/filter.d/:

mailborder-auth.conf:

[Definition]
failregex = ^.*Failed login attempt for.*from <HOST>.*$
ignoreregex =

mailborder-smtp.conf:

[Definition]
failregex = ^.*reject: RCPT from.*\[<HOST>\].*$
ignoreregex =

Restart fail2ban:

sudo systemctl restart fail2ban

View Banned IPs:

sudo fail2ban-client status mailborder-auth
sudo fail2ban-client status mailborder-smtp

Unban IP:

sudo fail2ban-client set mailborder-auth unbanip 203.0.113.50

TLS/SSL Configuration¶

TLS Versions¶

Disable Insecure TLS Versions:

# Disable TLS 1.0 and 1.1 (deprecated)
sudo mb-config set network.tls.min_version "1.2"

# Supported versions: 1.2, 1.3
sudo mb-config set network.tls.versions "1.2,1.3"

Cipher Suites¶

Strong Ciphers Only:

sudo mb-config set network.tls.ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"

Mozilla Modern Configuration:

sudo mb-config set network.tls.profile modern

Mozilla Intermediate Configuration (Recommended):

sudo mb-config set network.tls.profile intermediate

Mozilla Old Configuration (Maximum Compatibility):

sudo mb-config set network.tls.profile old

Perfect Forward Secrecy¶

Enable:

sudo mb-config set network.tls.prefer_server_ciphers true
sudo mb-config set network.tls.dhparam /etc/mailborder/ssl/dhparam.pem

Generate DH Parameters:

sudo openssl dhparam -out /etc/mailborder/ssl/dhparam.pem 2048

SMTP TLS¶

Outbound TLS (to relay host):

# Opportunistic TLS (STARTTLS)
sudo mb-config set network.smtp.tls.outbound opportunistic

# Mandatory TLS (fail if not available)
sudo mb-config set network.smtp.tls.outbound mandatory

# Disable TLS
sudo mb-config set network.smtp.tls.outbound none

Inbound TLS (from senders):

# Offer STARTTLS
sudo mb-config set network.smtp.tls.inbound enabled

# Require TLS from all senders
sudo mb-config set network.smtp.tls.inbound mandatory

TLS Certificate:

sudo mb-config set network.smtp.tls.cert /etc/mailborder/ssl/mailborder.crt
sudo mb-config set network.smtp.tls.key /etc/mailborder/ssl/mailborder.key

Connection Limits¶

SMTP Connection Limits¶

Maximum Concurrent Connections:

# Total connections
sudo mb-config set network.smtp.max_connections 100

# Per source IP
sudo mb-config set network.smtp.max_per_source 10

Connection Rate:

# Maximum new connections per second
sudo mb-config set network.smtp.connection_rate 20

# Per source IP per second
sudo mb-config set network.smtp.rate_per_source 2

Connection Timeout:

# How long to wait for client data
sudo mb-config set network.smtp.timeout 300  # 5 minutes

Web Interface Limits¶

Concurrent Connections:

sudo mb-config set network.https.max_connections 50

Request Rate Limiting:

# Requests per minute per IP
sudo mb-config set network.https.rate_limit 60

# Burst allowance
sudo mb-config set network.https.rate_burst 10

DNS Configuration¶

DNS Servers¶

Configure DNS Resolvers:

# Use specific DNS servers
sudo mb-config set network.dns.servers "8.8.8.8,8.8.4.4,1.1.1.1"

# Or use system default
sudo mb-config set network.dns.servers "system"

Verify DNS:

dig @8.8.8.8 google.com +short

DNS Caching¶

Enable DNS Cache:

sudo mb-config set network.dns.cache.enabled true
sudo mb-config set network.dns.cache.ttl 300  # 5 minutes

Clear DNS Cache:

sudo mb-dns-cache-clear

DNSSEC¶

Enable DNSSEC Validation:

sudo mb-config set network.dns.dnssec true

Reverse DNS (PTR)¶

Critical for Email Delivery:

Verify your server has correct reverse DNS:

dig -x YOUR_SERVER_IP +short

Should return your server's hostname (FQDN).

Contact ISP/hosting provider to set up reverse DNS if missing.

Routing¶

Default Gateway¶

View Current Gateway:

ip route show default

Set Default Gateway:

sudo ip route add default via 203.0.113.1

Persistent (Debian/Ubuntu):

Edit /etc/network/interfaces:

auto eth0
iface eth0 inet static
    address 203.0.113.10
    netmask 255.255.255.0
    gateway 203.0.113.1

Or using Netplan (/etc/netplan/01-netcfg.yaml):

network:
  version: 2
  ethernets:
    eth0:
      addresses:
        - 203.0.113.10/24
      gateway4: 203.0.113.1
      nameservers:
        addresses: [8.8.8.8, 8.8.4.4]

Apply:

sudo netplan apply

Static Routes¶

Add Static Route:

sudo ip route add 192.168.50.0/24 via 203.0.113.254

Persistent:

Edit /etc/network/interfaces:

up ip route add 192.168.50.0/24 via 203.0.113.254

Network Diagnostics¶

Test Connectivity¶

Ping:

ping -c 4 8.8.8.8
ping -c 4 google.com

Traceroute:

traceroute google.com

MTU Path Discovery:

tracepath google.com

Test SMTP Connectivity¶

Outbound SMTP:

telnet mail.example.com 25

EHLO mailborder.example.com
MAIL FROM:<test@mailborder.example.com>
RCPT TO:<recipient@example.com>
QUIT

Test from Remote:

telnet your-mailborder-ip 25

Test DNS¶

Forward Lookup:

dig example.com
dig example.com MX
dig example.com A

Reverse Lookup:

dig -x 203.0.113.10

Check Specific DNS Server:

dig @8.8.8.8 example.com

Network Statistics¶

Connection Counts:

# Active connections
ss -s

# SMTP connections
ss -tn sport = :25

# HTTPS connections
ss -tn sport = :443

Bandwidth Usage:

# Install iftop
sudo apt install iftop

# Monitor bandwidth
sudo iftop -i eth0

Packet Capture:

# Capture SMTP traffic
sudo tcpdump -i eth0 port 25 -w smtp-capture.pcap

# View capture
sudo tcpdump -r smtp-capture.pcap -n

Performance Tuning¶

TCP Parameters¶

Optimize for High Traffic:

Edit /etc/sysctl.conf:

# Increase connection backlog
net.core.somaxconn = 1024

# Increase max open files
fs.file-max = 100000

# TCP buffer sizes
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216

# Enable TCP window scaling
net.ipv4.tcp_window_scaling = 1

# Reduce TIME_WAIT connections
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_reuse = 1

# Increase port range
net.ipv4.ip_local_port_range = 10000 65535

Apply:

sudo sysctl -p

Network Interface Settings¶

MTU Size:

# Check current MTU
ip link show eth0

# Set MTU (if needed)
sudo ip link set eth0 mtu 1500

Ring Buffer Size:

# Check current
sudo ethtool -g eth0

# Increase (if supported)
sudo ethtool -G eth0 rx 4096 tx 4096

Offload Features:

# Enable TCP offload
sudo ethtool -K eth0 tso on gso on gro on

Troubleshooting¶

Cannot Receive Email¶

Check SMTP Port:

sudo netstat -tlnp | grep :25

Check Firewall:

sudo ufw status
sudo iptables -L -n | grep 25

Test Externally:

telnet your-server-ip 25

Cannot Access Web Interface¶

Check HTTPS Port:

sudo netstat -tlnp | grep :443

Check Nginx:

sudo systemctl status nginx
sudo nginx -t

Check Firewall:

sudo ufw status

Slow Connection¶

Check Network:

ping -c 10 relay-host.example.com

Check MTU:

tracepath relay-host.example.com

Check Bandwidth:

sudo iftop -i eth0

DNS Issues¶

Test Resolution:

dig example.com
nslookup example.com

Check /etc/resolv.conf:

cat /etc/resolv.conf

Flush DNS Cache:

sudo systemd-resolve --flush-caches

Next Steps¶

SSL/TLS Certificates - Install proper SSL certificates
System Configuration - Core system settings
Email Processing - Email flow configuration
Performance Monitoring - Monitor network performance