Hence the recommendation to keep the access to loaclhost
Need to rephrase this: it listens on ::5321 ; firewall “keeps” it on the localhost.
if port is opened it should respond to http://fqnd:5321.
Then the question is should we change the protocol to https, personally I dislike using https for the localhost…
What do you recommend?
I’d just keep the reverse proxy to localhost, so we stay flexible and can do cert settings in httpd via web UI.
Sorry, it wasn’t clear from my statement.
don’t be sorry i like this conversation 
And i was not so clear too:
I ment: what if someone opens the port to red/green ? And sends password etc unencrypted, should we take measures to this mall-configuration and use https://::5321 ? may be done conditional…
That must never be done, one has to use reverse proxy. I think it’s done in the same way with other apps (SOGo, guacamole, …).
SOGo example:
<Location /SOGo>
ProxyPass http://127.0.0.1:20000/SOGo retry=0
ProxyPassReverse http://127.0.0.1:20000/SOGo
SetEnv proxy-nokeepalive 1
</Location>
In other words: Reverse proxy from HTTPS to HTTPS may be too much.
meanwhile your comments (mailfrom and removal of conf) are processed ! thanx
An option to prevent this would be to enforce the db prop value with a force/ db entry. For me documenting it it’s more than enough (…service runs on localhost and iiss accessible through a reverse proxy. Changing service access is discouraged and can lead to security issues or unexpected behaviour).
https can have a little performance penalty.
Don’t know, could a vulnerable service sniff or ex-filtrate traffic from another one?
Thank you both!
Short recap:
)EDIT
Turns out we do not need a certificate for the daemon aslong the deamon uses http.
(resulting commit)