Since I've been using this for maybe a year now, maybe someone else is
interested in restricting IMAP and POP logins via libwrap.
In addition to the attached patch (against 1.0.5) to src/login-common/main.c,
src/{imap,pop3}-login/Makefile.in have to be modified to link against libwrap.
Of course, the option needs to be integrated into configure in the long run.
-------------- next part --------------
--- src/login-common/main.c.orig 2007-05-19 13:14:04.000000000 +0200
+++ src/login-common/main.c 2007-11-13 11:53:37.000000000 +0100
@@ -1,5 +1,7 @@
/* Copyright (C) 2002 Timo Sirainen */
+#define LIBWRAP
+
#include "common.h"
#include "ioloop.h"
#include "lib-signals.h"
@@ -18,6 +20,11 @@
#include <unistd.h>
#include <syslog.h>
+#ifdef LIBWRAP
+#include <tcpd.h>
+int allow_severity =0, deny_severity = 0;
+#endif
+
bool disable_plaintext_auth, process_per_connection, greeting_capability;
bool verbose_proctitle, verbose_ssl, verbose_auth;
const char *greeting, *log_format;
@@ -69,6 +76,10 @@
unsigned int remote_port, local_port;
struct client *client;
int fd;
+#ifdef LIBWRAP
+ struct request_info req;
+ char daemon[13] = "dovecot-";
+#endif
fd = net_accept(LOGIN_LISTEN_FD, &remote_ip, &remote_port);
if (fd < 0) {
@@ -77,6 +88,17 @@
return;
}
+#ifdef LIBWRAP
+ strlcat(daemon, login_protocol, sizeof(daemon));
+ request_init(&req, RQ_DAEMON, daemon, RQ_FILE, fd, NULL);
+ fromhost(&req);
+ if (!hosts_access(&req)) {
+ i_info("libwrap: access denied");
+ net_disconnect(fd);
+ return;
+ }
+#endif
+
if (net_getsockname(fd, &local_ip, &local_port) < 0) {
memset(&local_ip, 0, sizeof(local_ip));
local_port = 0;
@@ -99,6 +121,10 @@
struct client *client;
struct ssl_proxy *proxy;
int fd, fd_ssl;
+#ifdef LIBWRAP
+ struct request_info req;
+ char daemon[17] = "dovecot-";
+#endif
fd = net_accept(LOGIN_SSL_LISTEN_FD, &remote_ip, &remote_port);
if (fd < 0) {
@@ -107,6 +133,18 @@
return;
}
+#ifdef LIBWRAP
+ strlcat(daemon, login_protocol, sizeof(daemon));
+ strlcat(daemon, "-ssl", sizeof(daemon));
+ request_init(&req, RQ_DAEMON, daemon, RQ_FILE, fd, NULL);
+ fromhost(&req);
+ if (!hosts_access(&req)) {
+ i_info("libwrap: access-ssl denied");
+ net_disconnect(fd);
+ return;
+ }
+#endif
+
if (net_getsockname(fd, &local_ip, &local_port) < 0) {
memset(&local_ip, 0, sizeof(local_ip));
local_port = 0;