Hi. Is there any way to limit access to dovecot by domains. I only need to give access to a well known set of domains, all from Australia and all networks are known and used either from people at home or mobile access (phones, laptops etc). iptables is not possible as e.g. OPTUS does not give away all of the networks mobile phones are connected to. I know some, but not all. It would be much nicer and easier to allow optusnet.com.au bigpond.com.au tpg.com.au and I have given 100% of our users access. I know there is an extra field called "allow_nets", I tried this and failed. I did a search and found that this only works with SQL? Maybe I could include a script that would check the reverse DNS record of a connected IP and then I could filter????? Jobst -- Why is the man who invests all your money called a broker? | |0| | Jobst Schmalenbach, jobst at barrett.com.au, General Manager | | |0| Barrett Consulting Group P/L & The Meditation Room P/L |0|0|0| +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia
use the connect-acl script at http://www.linux.org.py/wiki/howto/dovecot_connect_acl or, the post-login script at http://wiki.dovecot.org/PostLoginScripting (side note, http://spameatingmonkey.com/ Geo blacklist, for similar reasons but blocking outsider countries like oh say, china users that like to brute force) On 10/13/2010 03:08 AM, Jobst Schmalenbach wrote:> Hi. > > Is there any way to limit access to dovecot by domains. > > I only need to give access to a well known set of domains, all from > Australia and all networks are known and used either from people > at home or mobile access (phones, laptops etc). > > iptables is not possible as e.g. OPTUS does not give away all of the > networks mobile phones are connected to. I know some, but not all. > > It would be much nicer and easier to allow > > optusnet.com.au > bigpond.com.au > tpg.com.au > > and I have given 100% of our users access. > > > I know there is an extra field called "allow_nets", I tried this > and failed. I did a search and found that this only works with SQL? > > > Maybe I could include a script that would check the reverse DNS record > of a connected IP and then I could filter????? > > > Jobst > > > > >
On 13/10/2010 08:08, Jobst Schmalenbach wrote:> Is there any way to limit access to dovecot by domains. > > I only need to give access to a well known set of domains, all from > Australia and all networks are known and used either from people at > home or mobile access (phones, laptops etc).Have you considered using "fail2ban" ? This should then block calling IP addresses based on the suspiciousness of the activity originating from those addresses. Also it should mean you wouldn't need to keep housekeeping the list of allowed networks. So people using networks you hadn't thought of, or people travelling abroad, would still be able to get access without having to bother you. In addition it should cover the case of black hats operating out of (or bouncing activity through) your semi-trusted list {optusnet,bigpond,tpg}.com.au. Bill
On 2010-10-13 4:23 AM, William Blunn wrote:> Have you considered using "fail2ban" ?+1 Works incredibly well, reliable, flexible... and best of all works for any other services you run too (not dovecot specific)... -- Best regards, Charles
On Wed, 2010-10-13 at 18:08 +1100, Jobst Schmalenbach wrote:> Maybe I could include a script that would check the reverse DNS record > of a connected IP and then I could filter?????Wonder if tcpwrappers would work? You could use that with Dovecot v2.0.
On Thu, Oct 14, 2010 at 03:31:23PM +0100, Timo Sirainen (tss at iki.fi) wrote:> On Wed, 2010-10-13 at 18:08 +1100, Jobst Schmalenbach wrote: > > > Maybe I could include a script that would check the reverse DNS record > > of a connected IP and then I could filter????? > > Wonder if tcpwrappers would work? You could use that with Dovecot v2.0.I have read a few things about this, it looks like its not so good to do it this way, besides having proper written daemons running from (x)inted is a system overhead. Jobst -- The reason you cannot think about eternity is because the intellect which is doing the thinking is an instrument of time and nothing else. | |0| | Jobst Schmalenbach, jobst at barrett.com.au, General Manager | | |0| Barrett Consulting Group P/L & The Meditation Room P/L |0|0|0| +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia
> Date: Fri, 15 Oct 2010 15:09:57 +1100> From: Jobst Schmalenbach <jobst at barrett.com.au> > Subject: Re: [Dovecot] Limit access to dovecot by domains? > To: Timo Sirainen <tss at iki.fi> > Cc: dovecot at dovecot.org > Message-ID: <20101015040957.GA3232 at senna.barrett.com.au> > Content-Type: text/plain; charset=us-ascii > > On Thu, Oct 14, 2010 at 03:31:23PM +0100, Timo Sirainen (tss at iki.fi) wrote: > > > On Wed, 2010-10-13 at 18:08 +1100, Jobst Schmalenbach wrote: > > > > >> > > Maybe I could include a script that would check the reverse DNS record > >> > > of a connected IP and then I could filter????? > > > > > > Wonder if tcpwrappers would work? You could use that with Dovecot v2.0. > > I have read a few things about this, it looks like its not so good to do it this way, > besides having proper written daemons running from (x)inted is a system overhead. Huh? What are you talking about? If dovecot has tcpwrapper support and is compiled -DTCPWRAP then it can run as a standalone daemon and will consult the hosts.allow/deny files, no need for inetd of any type. man 3 hosts_access man 5 hosts_access for details on tuning. Tcpwrapper tuning is far more powerful than people realise.
Apparently Analagous Threads
- saslauth logging
- Weird bandwith behaviour (download throughput) on CentOS based gateway
- After reboot of web-server accessing website shows "Forbidden", restarting httpd all is fine
- access to file system through web browser
- sendmail, port 465/587, auth and imap