Ports, Policies, Milters & Security Stack
Service overview for SMTP, submission, Amavis, DKIM/SPF milters, ClamAV/SpamAssassin — plus Dovecot IMAP & LMTP, Apache HTTP Server, pf, Fail2Ban, CleanTalk, Shield Security, and Wordfence.
Service Matrix
| Port / Service | Purpose | Listener | Auth / TLS | Checks & Restrictions | Notes |
|---|---|---|---|---|---|
| 25 / SMTP | Public inbound mail | smtpd | STARTTLS (optional) | Relay gatekeeper; recipient hygiene; HELO FQDN; DKIM/SPF milters | Feeds Amavis content_filter. |
| 10024 | Amavis inbound | smtp-amavis | Local | N/A | Invokes ClamAV & SpamAssassin. |
| 10025 | Amavis reinjection | smtpd | Local | Milters disabled; receive_override_options | Prevents DKIM breakage. |
| 587 / submission | Client submission | smtpd | TLS required; SASL | Relaxed HELO for auth users | Outbound signing path. |
| 465 / smtps | Legacy SMTPS | smtpd | Implicit TLS; SASL | Same as 587 | For legacy clients. |
| 8891 / OpenDKIM | DKIM sign & verify | milter-opendkim | Local | Mode sv | Selector mail. |
| pyspf-milter.sock | SPF verify | pyspf-milter | Local | — | Replaces policyd-spf. |
| 3310 / ClamAV | Antivirus | clamd | Local | — | Called by Amavis. |
| 783 / SpamAssassin | Spam filter | spamd | Local | — | Called by Amavis. |
| 143 / 993 — IMAP (Dovecot) | Mailbox access | dovecot | STARTTLS (143) / SSL (993) | — | Client retrieval (Thunderbird/Outlook/mobile). |
| LMTP — Dovecot | Local Mail Transport | dovecot-lmtp | Unix socket / TCP (24xx) | Receives from Postfix | Final delivery into user mailboxes. |
| 80 / 443 — Apache HTTP Server | Web / API gateway | httpd | TLS (Let’s Encrypt) | mod_security, mod_evasive | Serves WordPress; reverse proxy capability. |
| Fail2Ban | Intrusion prevention | fail2ban-server | Local | Watches logs; bans via pf | Protects Postfix/Dovecot/587. |
| CleanTalk | Cloud anti-spam | WP plugin/API | HTTPS | App-layer filter | Stops form spam pre-mail. |
| pf | Firewall | kernel | Kernel | Network ACLs | Integrates with Fail2Ban. |
| Shield Security | WordPress app firewall | Shield Security | App-layer | 2FA, login rate-limits | Reduces brute-force and form abuse. |
| Wordfence | WordPress WAF & scanner | Wordfence | App-layer | IP reputation, malware scan | Blocks exploits and malicious bots. |
Quick Commands
sockstat -4l | egrep '(:25|:587|:465|:8891|:10024|:10025|:143|:993|:80|:443)' postconf -P | egrep '10025.*(smtpd_milters|non_smtpd_milters|receive_override_options)' opendkim-testkey -d tahoestores.org -s mail -vv tail -f /var/log/maillog