GreenArrow Documentation

Firewall Configuration

This document lists the firewall openings needed for a typical GreenArrow installation.

Incoming Firewall Openings

Protocol Source Notes
SMTP (TCP port 25) Any Needed to receive incoming mail, including asynchronous bounces and spam complaints.
SMTP (TCP port 587) SMTP clients Only needed if you’re injecting mail using SMTP from outside your firewall.
QMQP (TCP port 628) QMQP clients Only needed if you’re injecting mail using QMQP from outside your firewall.
QMQP-streaming (TCP port 629) QMQP-streaming clients Only needed if you’re injecting mail using QMQP-streaming from outside your firewall.
POP3 (TCP port 110) Any Only needed if POP clients will connect to GreenArrow Engine from outside your firewall.
HTTP (TCP port 80) Any Only needed if you’re using GreenArrow Studio or GreenArrow Engine’s click, open or unsubscribe tracking features, or accessing GreenArrow’s management interface via HTTP. See the HTTP Server’s “URI Filtering” documentation for information on restricting access by URI prefix. You may use a non-default port for HTTP by updating the /var/hvmail/control/httpd.listen file.
HTTPS (TCP port 443) Any See the HTTP notes above. HTTPS’ TCP port may be customized by updating the /var/hvmail/control/httpd.ssl.listen file.
SSH (TCP port 22) 64.21.76.5, 207.99.58.128/28 Used for remotely administering your installation. You should also allow 104.196.149.69 if GreenArrow is providing managed backups.
PostgreSQL (TCP port 5432) 64.21.76.5 Used if GreenArrow is providing deliverability consulting. This opening isn’t required, but it does make deliverability consulting more efficient.
Nagios (TCP port 5666) 64.21.76.38 Used if GreenArrow is providing server monitoring.
All 127.0.0.1 (localhost) Some of GreenArrow’s services require communication on localhost. Accepting communications from localhost is required.

Outgoing Firewall Openings

We only recommend advanced system administrators restrict outgoing firewall access. Here are the ports that we recommend keeping open on the firewall for outgoing access.

Protocol Destination Notes
SMTP (TCP port 25) Any Needed to send mail.
DNS (UDP and TCP port 53) Any GreenArrow Engine runs its own DNS caching server in order to boost performance.
SSH (TCP port 22) 64.21.76.5, 216.118.105.13 Used for retrieving software updates.
HTTP and HTTPS (TCP ports 80 and 443) 64.21.76.28, 207.99.125.74 64.21.76.28 is used for software installation and updates. 207.99.125.74 is used for API calls to GreenArrow Monitor. Other openings may be needed during the setup process in order to connect to your Linux distribution’s package repositories. Other openings may be required to use the “download from web page” feature in GreenArrow Studio.
NTP (UDP port 123) 216.118.105.14 Needed to keep system clock in sync.
Other   Connections to any of your systems that GreenArrow will be integrating with. For example, MySQL connections would be made to port 3306.