Opening the Proper Firewall Ports

You have 2 options:

If you are using a standalone SpammerTrap, you can open up all ports to and from the SpammerTrap and let the SpammerTrap firewall decide what to do. This is the easier of the two options. If your corporate policy allows all the ports to be open, this is the recommended option. SECNAP has included a stateful firewall on the SpammerTrap designed to keep uwanted traffic out of your SpammerTrap.
You can open up only specified ports to and from the SpammerTrap. Many ports are used (besides TCP 25) for various functions, including access to distributed spam checksum databases, real time blacklists and updates. However, if your corporate practices require that only specific ports be used, you can modify your existing firewall to allow for this communication. If you do not or cannot open the following ports, the functionality will be significantly reduced.

Note: Failure to open all listed ports will result in a loss of accuracy.

Internet to SpammerTrap

TCP 25 (SMTP); used to receive email
ICMP 3, 4, 11, and 12; diagnostics, not pings
TCP 113 (identd); used when communicating with some older email servers
TCP 80 (http); allow external users access to SpammerTrap Web interface for quarantine release
TCP 443 (https); required to allow authenticated user access to SpammerTrap Web interface

SpammerTrap to Internet

TCP 25 (SMTP); used to send NDR’s, notifications, bounces, and mail messages
TCP/UDP 53 (DNS); used to do real-time blacklist lookups, and MX lookups. DNS records larger then 256B are transferred over TCP rather then UDP.
TCP 43 (whois); used to lookup information on email senders in the email reports section.
TCP 80 (http); used for realtime updates on built in Anti-Virus database files. If you are protected by a web proxy, exclude the SpammerTrap if possible. Contact This e-mail address is being protected from spambots. You need JavaScript enabled to view it for further assistance.
UDP 123 (NTP); used to maintain an accurate date/time on the SpammerTrap
TCP 443 (SECNAP Updates); encrypted tunnel used to distribute updates to the SpammerTrap
TCP 2703 (Vipul’s Razor); Distributed spam checksum database, see http://razor.sourceforge.net
UDP 6277 (DCC); Distributed Checksum Clearing house, a spam scoring database, see www.dcc-servers.net/dcc/FAQ.html#firewall-ports
TCP 587 (Submission); used to report spammers to SpamCop

Internal Network (LAN) to SpammerTrap

TCP 25 (SMTP); used to accept direct SMTP connection from internal clients (if allowed in email firewall on SpammerTrap)
TCP 80 (http); web based quarantine release interface
TCP 443 (https); web based authenticated users
ICMP 3, 4, 5, 8, 11, and 12; Pings and diagnostics for your own internal health check monitoring

SpammerTrap to Internal network (LAN)

TCP 25 (SMTP); to deliver email to corporate mailserver
TCP 110 (pop3); only if used for authentication with internal mailserver
TCP 143 (imap); only if used for authentication with internal mailserver and/or public mail folders
TCP 389,636 (ldap/ldaps); only if used for username and valid recipient lookup
TCP/UDP 53 (DNS); used to make local DNS queries

What if I use a static or port filtering firewall?

For a static firewall, you will need all of the above ports, plus:

Allow established TCP connections back in
For UDP, treat them like you would DNS UDP entries
Since UDP does not have an established bit, you must allow the TARGET back in
This could be considered a security issue but the SpammerTrap will handle unwanted connections

Example:

UDP query from SpammerTrap to the outside world
UDP SpammerTrap: 1023 to external DNS: 53
The firewall has to allow the external email back in since the SpammerTrap does not know what the target is
UDP All:53 to SpammerTrap: 1023-65535
Same with 123, 6277, see above link at DCC for information
ICMP: allow ICMP RETURNS for 3,4,8,11,12

NOTE: The SpammerTrap has a built-in firewall, so easiest option is to allow any > any to/from the SpammerTrap.