Firewall Mail Server
Running a self-hosted mail server requires several ports to be accessible from the internet. Inbound mail delivery uses SMTP on port 25. Mail client access uses IMAPS on port 993 and SMTP submission on port 587. Each needs a port forwarding entry pointing at the mail server’s internal address, and a corresponding firewall rule permitting the inbound traffic.
Equally important is blocking port 25 from devices other than the mail server. This is SMTP port management: without it, any device on the network with malware could attempt to send spam directly to external mail servers, bypassing the mail server entirely and potentially getting the network’s IP address blacklisted.
The mail server’s internal address in this network is on the Core VLAN. Replace 10.1.0.x throughout this page with the actual static DHCP address assigned to the mail server.
Port forwarding
Navigate to Settings > Firewall & Security > Port Forwarding > Add Port Forward.
SMTP (inbound mail delivery)
This forwards external port 25 to the mail server for inbound delivery from other mail servers on the internet.
| Field | Value |
|---|---|
| Name | SMTP Inbound |
| Enabled | Yes |
| From | Any |
| Port | 25 |
| Forward IP | 10.1.0.x |
| Forward Port | 25 |
| Protocol | TCP |
| Enable NAT Loopback | Yes |
| Logging | Optional |
SMTP Submission (mail client sending)
This forwards port 587 for authenticated mail client submission. Some ISPs block outbound port 587, which would prevent roaming clients from submitting mail. If this is the case, also add a port forward for port 465 (SMTP over TLS).
| Field | Value |
|---|---|
| Name | SMTP Submission |
| Enabled | Yes |
| From | Any |
| Port | 587 |
| Forward IP | 10.1.0.x |
| Forward Port | 587 |
| Protocol | TCP |
| Enable NAT Loopback | Yes |
IMAPS (mail client access)
This forwards port 993 for encrypted IMAP access from mail clients.
| Field | Value |
|---|---|
| Name | IMAPS |
| Enabled | Yes |
| From | Any |
| Port | 993 |
| Forward IP | 10.1.0.x |
| Forward Port | 993 |
| Protocol | TCP |
| Enable NAT Loopback | Yes |
HTTPS for webmail (if applicable)
If the mail server includes a webmail interface (Roundcube, Rainloop, or similar), add a port forward for HTTPS. If the server is also hosting other HTTPS services, a single HTTPS port forward to a reverse proxy handles all of them.
| Field | Value |
|---|---|
| Name | HTTPS |
| Enabled | Yes |
| From | Any |
| Port | 443 |
| Forward IP | 10.1.0.x (or reverse proxy address) |
| Forward Port | 443 |
| Protocol | TCP |
| Enable NAT Loopback | Yes |
Firewall rules
Port forwarding creates the destination NAT entries. The firewall rules control which traffic is permitted to use those forwards. Navigate to Settings > Firewall & Security > Firewall Rules.
Allow SMTP to mail server (WAN In)
Permit inbound SMTP connections from any source to the mail server.
| Field | Value |
|---|---|
| Name | Allow SMTP to mail server |
| Enabled | Yes |
| Rule Applied | Before Predefined Rules |
| Action | Accept |
| IPv4 Protocol | TCP |
| Source | Address/Port Group: Any |
| Destination | IP Address: 10.1.0.x, Port: 25 |
Allow SMTP Submission to mail server (WAN In)
| Field | Value |
|---|---|
| Name | Allow SMTP Submission to mail server |
| Enabled | Yes |
| Action | Accept |
| IPv4 Protocol | TCP |
| Source | Any |
| Destination | IP Address: 10.1.0.x, Port: 587 |
Allow IMAPS to mail server (WAN In)
| Field | Value |
|---|---|
| Name | Allow IMAPS to mail server |
| Enabled | Yes |
| Action | Accept |
| IPv4 Protocol | TCP |
| Source | Any |
| Destination | IP Address: 10.1.0.x, Port: 993 |
SMTP port management
The most important firewall rules for mail are not the ones that allow traffic in. They are the ones that prevent other devices from sending mail out directly.
Without SMTP port management, any device on the network infected with malware can connect directly to external mail servers on port 25 and send spam. The sending IP is your home IP address. Other mail servers notice and add your IP to their blocklists. Your mail server’s legitimate outbound mail starts being rejected.
Two rules implement SMTP port management:
Allow SMTP from mail server only (LAN In)
Permit outbound SMTP only from the mail server. All other devices are blocked.
Navigate to Settings > Firewall & Security > Firewall Rules. Add a rule in LAN In:
| Field | Value |
|---|---|
| Name | Allow SMTP outbound from mail server |
| Enabled | Yes |
| Rule Applied | Before Predefined Rules |
| Action | Accept |
| IPv4 Protocol | TCP |
| Source | IP Address: 10.1.0.x |
| Destination | Any, Port: 25 |
Block all other SMTP outbound (LAN In)
Block port 25 from any other source on the network. Place this rule after the allow rule above.
| Field | Value |
|---|---|
| Name | Block SMTP outbound from all other devices |
| Enabled | Yes |
| Rule Applied | Before Predefined Rules |
| Action | Drop |
| IPv4 Protocol | TCP |
| Source | Any |
| Destination | Any, Port: 25 |
The rule order matters. UniFi evaluates rules from top to bottom. The allow rule for the mail server must appear before the block rule. In the UniFi interface, drag rules to reorder them or use the index numbers to verify precedence.
IPv6 considerations
If the WAN connection provides a public IPv6 prefix and the mail server has a public IPv6 address, the same rules need to be created for IPv6. IPv6 devices on the network have globally routable addresses and are reachable directly from the internet without NAT, which means:
- Port forwarding is not needed for IPv6 (devices are directly reachable)
- WAN In firewall rules are still needed to permit traffic to the mail server
- The SMTP port management rules need IPv6 variants to prevent IPv6-capable malware from sending spam via IPv6
Create IPv6 equivalents of each rule above, setting the protocol family to IPv6 and using the mail server’s IPv6 address.
Testing the mail server firewall rules
From the desktop, test that the mail server is reachable from the internet by checking an external port scanning service, or from a device on an external connection:
# Test SMTP from the desktop (via WireGuard VPN when outside)
nc -v mail.yourdomain.net 25
# Should show the mail server's SMTP banner:
# 220 mail.yourdomain.net ESMTP Postfix
# Test IMAPS
nc -v mail.yourdomain.net 993
Test the SMTP port management by attempting to connect to an external mail server on port 25 from a non-mail-server device:
# From the desktop (should be blocked)
nc -v smtp.gmail.com 25
# Should fail with connection refused or timeout
Check MX record publication once the DNS is configured to confirm external mail can find the server:
dig MX yourdomain.net
ISP SMTP blocking
Some UK ISPs block outbound port 25 at the network level to prevent residential connections from being used as spam sources. If the mail server cannot send mail directly on port 25, the options are:
Use a smart host: configure the mail server to relay outbound mail through a trusted SMTP relay service (SparkPost, Mailgun, Amazon SES) rather than delivering directly. The relay handles delivery on port 25 from their non-blocked IP addresses.
Request port 25 unblocking: some ISPs will unblock port 25 on request for customers who demonstrate a legitimate need. Worth trying before committing to a relay service.
Use a VPS as a mail relay: run a minimal Postfix instance on a VPS with a clean IP address, relay outbound mail through it. More work but keeps the mail infrastructure self-hosted.
Port 25 is the most abused port on the internet. Any mail server exposed on port 25 will receive connection attempts from spammers and scanners within hours of going live. The mail server section covers the fail2ban and rate limiting configuration that handles this. The firewall rules here control what reaches the server. Both layers are necessary.