On Sun, 14 May 2023, Daniel Miller via dovecot wrote:
I only allow explicit service traffic through. IMAPS, SMTPS, etc. If doveadm is communicating via the IMAP(S) ports then all I can do via firewall is block countries. Which of course I can but I'm asking about any additional hardening for Dovecot itself.
Maybe you want to show your configuration, and in particular the dsync_remote_cmd and the service doveadm { } part (where you define the listening port).
Normally (AFAIK anyway) the used port (12345 in the example in https://wiki.dovecot.org/Replication) is *not* the IMAP(S) port, so you must have set it to something.
For replication I'd recommend using a VPN, so that the dovecot instances communicate over the tunnel, and thus immune to anything from the outside world.
Cheers.