Closed thorus90 closed 3 years ago
Disabling ports is quite easy for docker-compose projects. Just read the containers ports: section and comment out the lines.
volumes:
- ./data/web:/web:ro,z
- ./data/conf/rspamd/dynmaps:/dynmaps:ro,z
- ./data/assets/ssl/:/etc/ssl/mail/:ro,z
- ./data/conf/nginx/:/etc/nginx/conf.d/:z
- ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
- sogo-web-vol-1:/usr/lib/GNUstep/SOGo/:z
#ports:
# - "${HTTPS_BIND:-:}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
#- "${HTTP_BIND:-:}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"
Is what I do in my project since I run it behind a reverse proxy. Same applies for any or all docker-compose projects. https://docs.docker.com/compose/networking/
You can simply bind them to 127.0.0.1 or remove the ports completely.
If you don't run XMPP, there will no service be bound to these ports. They are just open sockets without service.
Please also read the docs about setting up a reverse proxy. We mention 127.0.0.1 there (or whereever you need to bind).
Sieve can and must be accessible externally, it part of dovecote. Why not close then imap port? 😲 It also public. You can manage sieve over sogo or over this port directly, for example thunderbird have sieve plugin which use this port and allow write rules in TB.
I just had problems with my server: the ports should be used by my own xmpp installation, but where blocked by mailcow, despite I had not configured xmpp for any domain. So I would vote for SKIP_XMPP contrary to what the FAQ says. At least, there should be the info about open ports. I've created a PR for the docs.
When you start with the docker-compose currently provided docker opens port to the external interface which aren't needed in my eyes, even bypassing normal iptables rules in the INPUT Chain.
I disabled these right now by:
8080 and 8443 because I use an reverse proxy for handling SSL Termination and further securing.
5222, 5269 and 5443 is for XMPP which I don't use ( as I guess many others user also ). 4190 for sieve, which doesn't need to be accessed externally (correct?).
I don't know if and how easy it would be to solve these issues by docker, but it could be stated in the documentation to block these ports specifically if you don't use XMPP.
Thanks!