I have allowed TCP ports 993,465,80,443 through my CIsco layer 3 switch ACL for the docker host which houses the nextcloud container. Nextcloud is running as “network_mode=host” on the docker host and the config.php reflects this. I can login no problem.
Whenever I enable the ACL for that subnet I cannot access my email and nextcloud sets there unable to connect. If I remove the Cisco firewall ACL I connect with the email no problem. If I look at the docker host (Nextcloud server) connection states I never see anything related to ports 993 (IMAP) or 465 (SMTP) for SYN_SENT or ESTABLISHED.
How does the Nextcloud server connect to somebody’s email? Does it use a proxy, i.e. is some server at nextcloud using my email configuration and credentials to connect? It sure doesn’t seem to be using my IMAP and SMTP ports that I can tell.
Also, does the nextcloud app use the local DNS of the Docker server? As said earlier it is running as “network_mode=host” on the docker server.
I just want to know how it works so I can fix my firewall.
I’m not familiar with Cisco ACLs, but have you restricted any outbound ports from the Nextcloud host?
I’m asking because, for inbound traffic, ports 443 and 80 are usually all that’s needed, probably as well 22 for SSH. However, there should be no need to restrict anything outbound from the Nextcloud host. If you do need to restrict outbound traffic for whatever reason, I’d say at least ports 53 (DNS) and 465/993 should be allowed for Nextcloud Mail to be able to connect to external SMTPS and IMAP servers.
Cisco ACL’s are best placed at the egress point of the subnet. This keeps processor usage to a minimum on the switch/router. Nothing is filtered inbound and the DNS server is in the same subnet (doesn’t hit the acl to be filtered) and is working and doing it’s job for the entire network and has been doing so successfully for some time. Not the problem.
I just need to know how Nextcloud handles the email from the server’s perspective and I’ll take it from there. When I don’t see ports being opened I’m wondering WTH is going on here and I’m left with “It’s something Nextcloud is doing”. Whatever it’s talking to I don’t see IMAP or SMTP ports being opened so I thought I would ask here what is going on underneath the hood.
That would make sense except I have those ports allowed out of the firewall and the hitcount is not going up. I am even looking at the TCP/IP connections on the docker host where Nextcloud is running and am not seeing those ports being used or even a TCP/IP syncronize attempt on those mail ports.
To add to my confusion if I remove the ACL and Nextcloud has wide open access to the Internet and I can access my email then I’m still not seeing those ports being opened on the docker host. So I’m like WTH is going on here? Shrug.
I might just need to do a port monitor on my swwitch and do a packet capture or run tcpdump on the docker host. But if my traffic is being hidden in HTTPS I may still be in the dark about what is going on.
When it comes to Nextcloud Mail, it works like any other email client. This means it needs to be able to connect to an email service or server using SMTP/SMTPS for sending emails and IMAP/IMAPS for retrieving them.
If we’re talking about Nextcloud notification emails, which can be configured under Administration settings → Basic settings → Email server, then only the SMTP part is needed.