The default configuration file dagent.cfg contains the following (view on stash.kopano.io) default configuration:
# binding address for LMTP daemon # change to the empty string if you require connections on other addresses #server_bind =
I’m no expert in this, but as far as I understand the LMTP daemon does not require any authentication.
So by default it binds to all interfaces and therefor if your Kopano Server is on a public IP anyone can deliver mail using port 2003!
(even if not on a public IP, all LAN devices can deliver mail on Port 2003)
Perhaps i misunderstand the implications, but this does not look like a good default configuration to me. Also the description of the setting sounds more like “server_bind = 127.0.01” should follow, without the “#”. Otherwise “change to the empty string” does not make any sense because this is already the default.