Yes.

Stealth is overrated IMHO. Closed is fine if you are wanting to keep others out.

Greetings and thank you for your assistance!

I am concerned about the security of the mercury mail server.

I have installed xampp and phplist. I have configured several users in mercury e-mail server for testing phplist e-mail listserv running on xampp. Thunderbird is installed and configured to view the e-mail sent/received by the users in mercury mail. Everything is on localhost.

Mercury is running SMTP on port 25 of my system. Thunderbird uses IMAP on port 143 to retrieve messages. I have a firewall, but I want to be sure that no one can remotely access mercury/thunderbird on my system as a way to break in. What do I need to do to secure this local e-mail testing environment? Any assistance/resources you can provide are greatly appreciated! Thank you!

PS. I am also open to recommendations on the protocols to use, POP vs. IMAP for example.  I just want a basic testing environment that I can use to send/receive e-mails to simulate a production server environment.

You need to get a router and block ports 25, 143 and 110 from the outside world.  With these ports blocked there will not be any way for the bad guys to get to Mercury.  I would be more worried about XAMPP (Apache and PHP) since it's available to the outside world and if port 80 is not blocked coming in it's possible they they will attack you this way.

Setting the SMTP server as an open relay is the most common (and probably most damaging) misconfiguration when setting up Mercury.

Carefully read the help section on relaying and authentication for MercS.

SSL can be used to secure client connections for all modules, to avoid clear-text password transmission.

As Thomas said, if the mail ports are not accessable from the outside, nothing can be done.

If you are going to have a problem, it will be with PHP.... [:P]

Thank you all very much!  I will look into blocking port 80 from the outside world as well.  I've been looking into my router settings, but it's not obvious how to block connections from other computers on specific ports.  I will continue researching it.  So once I get these ports blocked from all computers besides localhost, then I should be able to test the mail server and send/receive e-mails at localhost without encrypting anything or configuring any other security settings in mercury/thunderbird right?

Is there a program you would recommend to ping/check the port status of my machine to ensure these ports are not accessible after I update the router settings?

Unless you specifically add a forwarding rule for any port to your LAN ip address, it will NOT be available from outside.

The "Shields Up" test at grc.com is a good tool for open port checking.

The tools at mxtoolbox.com are also handy for mail servers specifically.

Thanks for the additional resources!  Shields Up is a great test!  All my ports came back in stealth mode as I suspected from my firewall settings.  This is the case regardless of whether xampp/mercury are running or not.  I am under the impression that this means outsiders will be unable to connect to these ports.  Is this correct?