Skip to content

Ports and Sockets Reference

Complete reference of network ports and Unix sockets used by Mailborder.

Overview

Mailborder uses a combination of:

  • TCP Ports - Network services (SMTP, HTTP, etc.)
  • Unix Sockets - Inter-process communication (IPC)
  • Internal Ports - Daemon communication
  • External Ports - Public-facing services

TCP Ports

Public-Facing Ports

Ports that should be accessible from external networks.

Port Service Protocol Purpose Firewall
25 SMTP TCP Email receiving ALLOW
80 HTTP TCP Web interface (redirect to HTTPS) ALLOW
443 HTTPS TCP Secure web interface ALLOW
587 SMTP Submission TCP Authenticated email sending (optional) OPTIONAL
465 SMTPS TCP SMTP over SSL (deprecated, optional) OPTIONAL

Port 25 - SMTP

Service: Postfix SMTP daemon Direction: Inbound Required: Yes (for receiving email)

# Test connectivity
telnet mailborder.example.com 25

# Expected response
220 mailborder.example.com ESMTP Postfix

Firewall rule (iptables): 

sudo iptables -A INPUT -p tcp --dport 25 -j ACCEPT

Firewall rule (UFW): 

sudo ufw allow 25/tcp

Port 80 - HTTP

Service: Nginx web server Direction: Inbound Required: Yes (for initial access and Let's Encrypt)

Configuration: Redirects to HTTPS automatically

server {
    listen 80;
    server_name mailborder.example.com;
    return 301 https://$server_name$request_uri;
}

Firewall rule: 

sudo ufw allow 80/tcp

Port 443 - HTTPS

Service: Nginx web server (SSL/TLS) Direction: Inbound Required: Yes (for web interface)

Test: 

curl -I https://mailborder.example.com

Firewall rule: 

sudo ufw allow 443/tcp

Port 587 - SMTP Submission (Optional)

Service: Postfix submission service Direction: Inbound Required: Only if users send mail through Mailborder

Configuration: 

# /etc/postfix/master.cf
submission inet n       -       y       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

Firewall rule: 

sudo ufw allow 587/tcp

Internal Ports

Ports used for internal daemon communication.

Port Service Binding Purpose
10031 mb-filter 127.0.0.1 Email content filtering
10032 mb-milter 127.0.0.1 Postfix milter protocol
11332 Rspamd 127.0.0.1 Spam scanning milter
11333 Rspamd Controller 127.0.0.1 Rspamd web interface
3310 ClamAV 127.0.0.1 Antivirus scanning
3306 MariaDB 127.0.0.1 Database server
6379 Redis 127.0.0.1 Cache and sessions

Port 10031 - mb-filter

Service: Mailborder email filtering daemon Binding: 127.0.0.1 (localhost only) Protocol: SMTP-like (Postfix content filter)

Configuration: /etc/postfix/main.cf 

content_filter = mb-filter:[127.0.0.1]:10031

Test: 

telnet 127.0.0.1 10031
# Should connect to mb-filter

Firewall: No external access needed

Port 10032 - mb-milter

Service: Mailborder milter daemon Binding: 127.0.0.1 (localhost only) Protocol: Milter protocol

Configuration: /etc/postfix/main.cf 

smtpd_milters = inet:127.0.0.1:10032

Check status: 

sudo netstat -tulpn | grep 10032

Port 11332 - Rspamd Milter

Service: Rspamd spam scanner Binding: 127.0.0.1 (localhost only) Protocol: Milter protocol

Configuration: /etc/postfix/main.cf 

smtpd_milters = inet:127.0.0.1:11332

Test: 

echo "Test" | rspamc --header="test:test"

Port 11333 - Rspamd Controller

Service: Rspamd web interface Binding: 127.0.0.1 (localhost only) Access: Through Nginx reverse proxy

Configuration: /etc/rspamd/local.d/worker-controller.inc 

bind_socket = "127.0.0.1:11333";

Access via browser: 

https://mailborder.example.com/rspamd/

(Proxied through Nginx)

Port 3310 - ClamAV

Service: ClamAV antivirus daemon Binding: 127.0.0.1 (localhost only) Protocol: ClamAV protocol

Test: 

clamdscan --version
sudo netstat -tulpn | grep 3310

Configuration: /etc/clamav/clamd.conf 

TCPSocket 3310
TCPAddr 127.0.0.1

Port 3306 - MariaDB

Service: MariaDB database server Binding: 127.0.0.1 (localhost only) Required: Yes

Configuration: /etc/mysql/mariadb.conf.d/50-server.cnf 

bind-address = 127.0.0.1

Test: 

sudo mysql -u mailborder -p mailborder

Security: - Never expose to public internet - Use strong passwords - Enable SSL for remote connections (clustering only)

Port 6379 - Redis

Service: Redis cache server Binding: 127.0.0.1 (localhost only) Required: Yes (for sessions and caching)

Configuration: /etc/redis/redis.conf 

bind 127.0.0.1
port 6379
protected-mode yes

Test: 

redis-cli ping
# Expected: PONG

Cluster Communication Ports

Only needed for multi-server deployments.

Port Service Direction Purpose
10050 mb-cluster Both Cluster synchronization
3306 MariaDB Inbound Database replication
6379 Redis Inbound Redis replication (optional)

Port 10050 - Cluster Sync

Service: Mailborder cluster daemon Direction: Bidirectional (main ↔ child nodes) Required: Only for clustering

Configuration: 

sudo mb-config set cluster.enabled true
sudo mb-config set cluster.port 10050
sudo mb-config set cluster.bind "0.0.0.0"

Firewall (only allow cluster IPs): 

sudo ufw allow from 192.168.1.0/24 to any port 10050 proto tcp

Unix Domain Sockets

Unix sockets provide fast, secure inter-process communication.

PHP-FPM Socket

Path: /var/run/php/mailborder.sock Owner: mailborder:www-data Permissions: 0660

Purpose: PHP-FPM process communication

Configuration: /etc/php/8.2/fpm/pool.d/mailborder.conf 

listen = /var/run/php/mailborder.sock
listen.owner = mailborder
listen.group = www-data
listen.mode = 0660

Nginx configuration: 

location ~ \.php$ {
    fastcgi_pass unix:/var/run/php/mailborder.sock;
}

Check: 

ls -lh /var/run/php/mailborder.sock
# Should show: srw-rw---- 1 mailborder www-data

mb-rpcd Socket

Path: /var/run/mailborder/mb-rpcd.sock Owner: mailborder:mailborder Permissions: 0660

Purpose: RPC daemon communication

Configuration: 

# Daemons connect via Unix socket for IPC

Check: 

ls -lh /var/run/mailborder/mb-rpcd.sock
sudo mb-status  # Should show mb-rpcd connected

ClamAV Socket

Path: /var/run/clamav/clamd.sock Owner: clamav:clamav Permissions: 0666

Purpose: Antivirus scanning

Configuration: /etc/clamav/clamd.conf 

LocalSocket /var/run/clamav/clamd.sock
LocalSocketGroup clamav
LocalSocketMode 666

Test: 

sudo clamdscan --version

Redis Socket (Optional)

Path: /var/run/redis/redis.sock Alternative to: TCP port 6379

Advantages: - Faster than TCP - More secure (filesystem permissions)

Configuration: /etc/redis/redis.conf 

unixsocket /var/run/redis/redis.sock
unixsocketperm 770

PHP configuration: 

session.save_path = "unix:///var/run/redis/redis.sock?database=1"

Port Verification

Check All Ports

List listening ports: 

sudo netstat -tulpn | grep LISTEN

Example output: 

tcp  0  0 0.0.0.0:25      0.0.0.0:*  LISTEN  1234/master
tcp  0  0 0.0.0.0:80      0.0.0.0:*  LISTEN  5678/nginx
tcp  0  0 0.0.0.0:443     0.0.0.0:*  LISTEN  5678/nginx
tcp  0  0 127.0.0.1:3306  0.0.0.0:*  LISTEN  2345/mysqld
tcp  0  0 127.0.0.1:6379  0.0.0.0:*  LISTEN  3456/redis-server
tcp  0  0 127.0.0.1:10031 0.0.0.0:*  LISTEN  4567/mb-filter
tcp  0  0 127.0.0.1:11332 0.0.0.0:*  LISTEN  6789/rspamd

Using ss (modern alternative): 

sudo ss -tulpn

Check Unix Sockets

List Unix sockets: 

sudo ls -lh /var/run/mailborder/
sudo ls -lh /var/run/php/
sudo ls -lh /var/run/clamav/

Check socket connections: 

sudo lsof | grep mailborder.sock

Port Connectivity Tests

External port test (from remote machine): 

nc -zv mailborder.example.com 25
nc -zv mailborder.example.com 443

Expected output: 

Connection to mailborder.example.com 25 port [tcp/smtp] succeeded!
Connection to mailborder.example.com 443 port [tcp/https] succeeded!

Internal port test (from localhost): 

nc -zv 127.0.0.1 3306
nc -zv 127.0.0.1 6379
nc -zv 127.0.0.1 10031

Firewall Configuration

UFW (Uncomplicated Firewall)

Basic configuration: 

# Reset firewall
sudo ufw --force reset

# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (important - don't lock yourself out!)
sudo ufw allow 22/tcp

# Allow Mailborder services
sudo ufw allow 25/tcp    # SMTP
sudo ufw allow 80/tcp    # HTTP
sudo ufw allow 443/tcp   # HTTPS

# Enable firewall
sudo ufw enable

# Check status
sudo ufw status verbose

Rate limiting (prevent brute force): 

sudo ufw limit 22/tcp    # SSH rate limiting
sudo ufw limit 25/tcp    # SMTP rate limiting

Allow specific IPs only: 

# Only allow admin access from office IP
sudo ufw allow from 203.0.113.0/24 to any port 22

# Only allow SMTP from specific mail servers
sudo ufw allow from 198.51.100.0/24 to any port 25

iptables (Advanced)

SMTP rules: 

# Allow SMTP
sudo iptables -A INPUT -p tcp --dport 25 -j ACCEPT

# Rate limit SMTP connections (prevent spam floods)
sudo iptables -A INPUT -p tcp --dport 25 -m limit --limit 100/minute -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 25 -j DROP

Web interface rules: 

# Allow HTTP/HTTPS
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Connection tracking: 

# Allow established connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Save rules: 

sudo iptables-save > /etc/iptables/rules.v4

Security Recommendations

Port Exposure

Minimize public exposure: 1. Only expose necessary ports (25, 80, 443) 2. Bind internal services to 127.0.0.1 3. Use Unix sockets where possible 4. Disable unused services

Example secure binding: 

# BAD - Exposed to network
bind-address = 0.0.0.0

# GOOD - Localhost only
bind-address = 127.0.0.1

Rate Limiting

Protect against abuse: 

# UFW rate limiting
sudo ufw limit 25/tcp
sudo ufw limit 443/tcp

# Fail2ban (automated blocking)
sudo apt install fail2ban

Fail2ban configuration: 

# /etc/fail2ban/jail.local
[postfix]
enabled = true
port = smtp
filter = postfix
logpath = /var/log/mail.log
maxretry = 5
bantime = 3600

Monitoring

Monitor port usage: 

# Real-time connection monitoring
sudo watch -n 1 'ss -tunap'

# Connection count by port
sudo netstat -an | awk '{print $4}' | sort | uniq -c | sort -rn

Log monitoring: 

# Watch SMTP connections
sudo tail -f /var/log/mail.log

# Watch web access
sudo tail -f /var/log/nginx/mailborder-access.log

Change Default Ports (Optional)

Move SSH to non-standard port: 

# /etc/ssh/sshd_config
Port 2222

sudo systemctl restart sshd
sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp

Don't Change Standard Ports

Don't change SMTP (25) or HTTPS (443) - these are expected by mail servers and users.

Troubleshooting

Port Already in Use

Check what's using a port: 

sudo lsof -i :25
sudo lsof -i :443

Example output: 

COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
master   1234 root    13u  IPv4  12345      0t0  TCP *:smtp (LISTEN)

Kill process using port: 

sudo kill 1234
# Or force kill
sudo kill -9 1234

Cannot Connect to Port

Check if service is running: 

sudo systemctl status postfix
sudo systemctl status nginx
sudo systemctl status mb-filter

Check if port is listening: 

sudo netstat -tulpn | grep 25

Check firewall: 

sudo ufw status
sudo iptables -L -n

Check from external: 

telnet mailborder.example.com 25
curl -I https://mailborder.example.com

Permission Denied on Socket

Check socket permissions: 

ls -lh /var/run/mailborder/mb-rpcd.sock

Fix permissions: 

sudo chown mailborder:mailborder /var/run/mailborder/mb-rpcd.sock
sudo chmod 660 /var/run/mailborder/mb-rpcd.sock

Verify group membership: 

groups mailborder
# Should include required groups

Port Conflict

Two services trying to use same port: 

# Find conflicting service
sudo netstat -tulpn | grep :25

# Stop one service
sudo systemctl stop conflicting-service

Port Summary Table

Quick Reference

Port Service Public Internal Socket Alternative
25 SMTP
80 HTTP
443 HTTPS
587 Submission Optional
3306 MariaDB
3310 ClamAV clamd.sock
6379 Redis redis.sock
10031 mb-filter
10032 mb-milter
11332 Rspamd
11333 Rspamd Web

Minimal Configuration

For basic deployment (no clustering): - Public: 25, 80, 443 - Internal: 3306, 6379, 10031, 11332, 3310 - Sockets: PHP-FPM, mb-rpcd, clamd

See Also