dovecot - Aug 2010 - dovecot - mac firewall problem

Hi,
     I am running dovecot 1.2.11 on mac osx 1.5.8.  Everything works  
perfectly with the application-level firewall off, but enabling the  
application firewall prevents dovecot connections.  I have tried  
explicitly authorizing dovecot in the firewall, but it does not work.   
I have searched everywhere I can think of to look, and haven't found a  
solution, but have seen a couple other reports of what seems to be the  
same problem.  The firewall logs the activity with what looks like a  
corrupt process name: a typical appfirewall.log entry looks like:

Aug 26 20:43:45 hostname Firewall[55]: Deny ^L connecting from  
XX.XX.XX.XX:37310 uid = 0 proto=6
Aug 26 20:43:53 hostname Firewall[55]: Deny ^H?^U???^Z  
connecting from XX.XX.XX.XX:37310 uid = 0 proto=6
Aug 26 20:44:09 hostname Firewall[55]: Deny ^L connecting from  
XX.XX.XX.XX:37310 uid = 0 proto=6
Aug 26 20:44:34 hostname Firewall[55]: Deny ^L connecting from  
XX.XX.XX.XX:37312 uid = 0 proto=6
Aug 26 20:44:45: --- last message repeated 6 times ---

where "hostname" is my server name and the XX's are my
client's IP
address.  For all of the other services I've used, the process name  
(e.g. dovecot) should appear after "Deny" when blocking traffic,  
instead of the funny characters.  Any advice on how I could resolve  
this issue would be greatly appreciated.  Thanks!

Patrick Fay put forth on 8/26/2010 10:21 PM:
> Hi,
>     I am running dovecot 1.2.11 on mac osx 1.5.8.  Everything works
> perfectly with the application-level firewall off, but enabling the
> application firewall prevents dovecot connections.  I have tried
> explicitly authorizing dovecot in the firewall, but it does not work.  I
> have searched everywhere I can think of to look, and haven't found a
> solution, but have seen a couple other reports of what seems to be the
> same problem.  The firewall logs the activity with what looks like a
> corrupt process name: a typical appfirewall.log entry looks like:
> 
> Aug 26 20:43:45 hostname Firewall[55]: Deny ^L connecting from
> XX.XX.XX.XX:37310 uid = 0 proto=6
> Aug 26 20:43:53 hostname Firewall[55]: Deny ^H?^U???^Z connecting from
> XX.XX.XX.XX:37310 uid = 0 proto=6
> Aug 26 20:44:09 hostname Firewall[55]: Deny ^L connecting from
> XX.XX.XX.XX:37310 uid = 0 proto=6
> Aug 26 20:44:34 hostname Firewall[55]: Deny ^L connecting from
> XX.XX.XX.XX:37312 uid = 0 proto=6
> Aug 26 20:44:45: --- last message repeated 6 times ---
> 
> where "hostname" is my server name and the XX's are my
client's IP
> address.  For all of the other services I've used, the process name
> (e.g. dovecot) should appear after "Deny" when blocking traffic,
instead
> of the funny characters.  Any advice on how I could resolve this issue
> would be greatly appreciated.  Thanks!
The application level firewall in OSX is aimed at _client_ use, not
server use.  It's similar to Novell's AppArmor, etc.  Leave it turned
off.

Simply because a piece of software (in this case an OS) offers any given
option does not mean every system needs it.  Can you offer a compelling
reason why you _need_ the OSX application level firewall enabled?
Please point us to documentation that advises using it for any of your
services/daemons.

-- 
Stan

>> Hi,
>>    I am running dovecot 1.2.11 on mac osx 1.5.8.  Everything works
>> perfectly with the application-level firewall off, but enabling the
>> application firewall prevents dovecot connections.  I have tried
>> explicitly authorizing dovecot in the firewall, but it does not work. 
I
>> have searched everywhere I can think of to look, and haven't found
a
>> solution, but have seen a couple other reports of what seems to be the
>> same problem.  The firewall logs the activity with what looks like a
>> corrupt process name: a typical appfirewall.log entry looks like:
>> 
>> Aug 26 20:43:45 hostname Firewall[55]: Deny ^L connecting from
>> XX.XX.XX.XX:37310 uid = 0 proto=6
>> Aug 26 20:43:53 hostname Firewall[55]: Deny ^H?^U???^Z connecting from
>> XX.XX.XX.XX:37310 uid = 0 proto=6
>> Aug 26 20:44:09 hostname Firewall[55]: Deny ^L connecting from
>> XX.XX.XX.XX:37310 uid = 0 proto=6
>> Aug 26 20:44:34 hostname Firewall[55]: Deny ^L connecting from
>> XX.XX.XX.XX:37312 uid = 0 proto=6
>> Aug 26 20:44:45: --- last message repeated 6 times ---
>> 
>> where "hostname" is my server name and the XX's are my
client's IP
>> address.  For all of the other services I've used, the process name
>> (e.g. dovecot) should appear after "Deny" when blocking
traffic, instead
>> of the funny characters.  Any advice on how I could resolve this issue
>> would be greatly appreciated.  Thanks!
> 
> The application level firewall in OSX is aimed at _client_ use, not
> server use.  It's similar to Novell's AppArmor, etc.  Leave it
turned off.
> 
> Simply because a piece of software (in this case an OS) offers any given
> option does not mean every system needs it.  Can you offer a compelling
> reason why you _need_ the OSX application level firewall enabled?
> Please point us to documentation that advises using it for any of your
> services/daemons.
> 
> -- 
> Stan
> 
Hi was hoping to use the application firewall because this machine gets used
both as a server as well as a client machine for more general use.  I
haven't been able to find any specific documentation for it, but I have
found that the firewall works fine with postfix and several file services I use
(enabling/disabling works as expected, process names get logged as expected,
etc).   Thanks!

Patrick

> 
>>>> Hi,
>>>>   I am running dovecot 1.2.11 on mac osx 1.5.8.  Everything
works
>>>> perfectly with the application-level firewall off, but enabling
the
>>>> application firewall prevents dovecot connections.  I have
tried
>>>> explicitly authorizing dovecot in the firewall, but it does not
work.  I
>>>> have searched everywhere I can think of to look, and
haven't found a
>>>> solution, but have seen a couple other reports of what seems to
be the
>>>> same problem.  The firewall logs the activity with what looks
like a
>>>> corrupt process name: a typical appfirewall.log entry looks
like:
>>>> 
>>>> Aug 26 20:43:45 hostname Firewall[55]: Deny ^L connecting from
>>>> XX.XX.XX.XX:37310 uid = 0 proto=6
>>>> Aug 26 20:43:53 hostname Firewall[55]: Deny ^H?^U???^Z
connecting from
>>>> XX.XX.XX.XX:37310 uid = 0 proto=6
>>>> Aug 26 20:44:09 hostname Firewall[55]: Deny ^L connecting from
>>>> XX.XX.XX.XX:37310 uid = 0 proto=6
>>>> Aug 26 20:44:34 hostname Firewall[55]: Deny ^L connecting from
>>>> XX.XX.XX.XX:37312 uid = 0 proto=6
>>>> Aug 26 20:44:45: --- last message repeated 6 times ---
>>>> 
>>>> where "hostname" is my server name and the XX's
are my client's IP
>>>> address.  For all of the other services I've used, the
process name
>>>> (e.g. dovecot) should appear after "Deny" when
blocking traffic, instead
>>>> of the funny characters.  Any advice on how I could resolve
this issue
>>>> would be greatly appreciated.  Thanks!
>>> 
>>> 
>> 
>> I was hoping to use the application firewall because this machine gets
used both as a server as well as a client machine for more general use.  I
haven't been able to find any specific documentation for it, but I have
found that the firewall works fine with postfix and several file services I use
(enabling/disabling works as expected, process names get logged as expected,
etc).   Thanks!
>> 
>> Patrick
> 
> So, you're running Dovecot and Postfix on a laptop?  WTF?
> 
> -- 
> Stan
Hi,
    Sorry for the confusion--no laptop involved.  Postfix, dovecot, etc, all
running on intel-based desktop mac (a mac pro).

Patrick

Hi,
   Thanks everyone for your help and input.  I think perhaps my attempt to be
brief and focused in posing my question has led to some confusion about my needs
and configuration.  I do not have the luxury of being able to segregate the
server (postfix and dovecot) from client (GUI, etc) on different machines.  I
am, as Charles' surmised, using this to aggregate disparate mail streams
into a single location, and using dovecot to serve it.  Since I must run
client-ish applications on this machine, the application firewall is desirable. 
The anticipated load on this system from the server side is quite light, so the
throughput overhead incurred by the application firewall is negligible.  The
problem appears to be that--for some reason--dovecot identifies itself
incorrectly to the application firewall, resulting in the garbage shown in the
logs and failure to permit this connection (the firewall is configured to
explicitly permit connections for dovecot).  I note that other daemons (e.g.
postfix, sshd, etc) do not exhibit this defect; the firewall works as expected
for every other service I've tried except dovecot.  The logs for the
firewall appear as:

Aug 26 20:43:45 hostname Firewall[55]: Deny ^L connecting from 
XX.XX.XX.XX:37310 uid = 0 proto=6
Aug 26 20:43:53 hostname Firewall[55]: Deny ^H?^U???^Z  connecting from
XX.XX.XX.XX:37310 uid = 0 proto=6

Both of these are dovecot hits--but the name is different each time.  Also the
?'s aren't really "?" marks; they're trans-ascii
characters with high bits set that my mailer doesn't like very much.  It
really looks like a misdirected pointer or something somewhere, but I'm not
familiar enough with the codebase to know where to start looking, or if in fact
it is something else that is misconfigured.  Any thoughts on how to resolve
this?

Patrick

> On 8/29/2010 8:51 PM, Patrick Fay wrote:
>> Aug 26 20:43:45 hostname Firewall[55]: Deny ^L connecting from 
XX.XX.XX.XX:37310 uid = 0 proto=6
>> Aug 26 20:43:53 hostname Firewall[55]: Deny ^H?^U???^Z  connecting from
XX.XX.XX.XX:37310 uid = 0 proto=6
>> 
>> Both of these are dovecot hits--but the name is different each time.
>> Also the ?'s aren't really "?" marks; they're
trans-ascii characters
>> with high bits set that my mailer doesn't like very much.  It
really
>> looks like a misdirected pointer or something somewhere, but I'm
not
>> familiar enough with the codebase to know where to start looking, or
>> if in fact it is something else that is misconfigured.  Any thoughts
>> on how to resolve this?
> 
> Dovecot version?
> 
> -- 
> 
> Best regards,
> 
> Charles
> 
My apologies-- dovecot version 1.2.11.  

Patrick

On 2010/08/28 at 16:57, pfay at nd.edu (Patrick Fay) wrote:
>>
>>>>> Hi,
>>>>>   I am running dovecot 1.2.11 on mac osx 1.5.8.  Everything
works
>>>>> perfectly with the application-level firewall off, but
enabling the
>>>>> application firewall prevents dovecot connections.
My suggestion would be to turn the application-level firewall in
"System Preferences" off and if you feel the need for a firewall,
use something like ipfw instead:
<http://developer.apple.com/mac/library/documentation/Darwin/Reference/ManPages/man8/ipfw.8.html>

It comes setup with the following configuration:

# ipfw show
65535 0 0 allow ip from any to any

So, you would have to configure it as you see fit.  Not as 
convient as
"System Preferences", but it should allow you to write a firewall
configuration that works with Dovecot.