In today's Internet, there are lots of illegitimate connections being made to the mail submission port (587). It is possible that the connections are being used to find valid user name and password combinations that can be used to login. Each connection uses a process and network state and that can slow the system down, in effect, a denial of service attack. That can be stopped by using the firewall to only allow access to IMAP/POP3 (dovecot) users.
This is be done by:
- create a dovecot firewall zone
- permanently add port 587/tcp
- permanently add source ipset:dovecot
- Run a daemon that calls "doveadm who" to update the dovecot ipset
In practice, IP addresses will never be removed from the dovecot ipset because those IP addresses are unlikely to be attacking us.
The downside is that users need to check their email before sending any unless their IP address is already in the dovecot ipset. The exception is for computers that are in other zones that are authorized to access the mail submission port.
dovecot is assumed to be running on just one node. This daemon needs to run on the same node. Users should send email using the same node.