dovecot - Oct 2010 - Limit access to dovecot by domains?

Hi.

Is there any way to limit access to dovecot by domains.

I only need to give access to a well known set of domains, all from 
Australia and all networks are known and used either from people
at home or mobile access (phones, laptops etc).

iptables is not possible as e.g. OPTUS does not give away all of the 
networks mobile phones are connected to. I know some, but not all.

It would be much nicer and easier to allow 

  optusnet.com.au
  bigpond.com.au
  tpg.com.au

and I have given 100% of our users access.


I know there is an extra field called "allow_nets", I tried this
and failed. I did a search and found that this only works with SQL?


Maybe I could include a script that would check the reverse DNS record
of a connected IP and then I could filter?????


Jobst





-- 
Why is the man who invests all your money called a broker?

  | |0| |   Jobst Schmalenbach, jobst at barrett.com.au, General Manager
  | | |0|   Barrett Consulting Group P/L & The Meditation Room P/L
  |0|0|0|   +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia

use the connect-acl script at
http://www.linux.org.py/wiki/howto/dovecot_connect_acl

or, the post-login script at http://wiki.dovecot.org/PostLoginScripting

(side note, http://spameatingmonkey.com/ Geo blacklist, for similar
reasons but blocking outsider countries like oh say, china users that
like to brute force)

On 10/13/2010 03:08 AM, Jobst Schmalenbach wrote:
> Hi.
>
> Is there any way to limit access to dovecot by domains.
>
> I only need to give access to a well known set of domains, all from 
> Australia and all networks are known and used either from people
> at home or mobile access (phones, laptops etc).
>
> iptables is not possible as e.g. OPTUS does not give away all of the 
> networks mobile phones are connected to. I know some, but not all.
>
> It would be much nicer and easier to allow 
>
>   optusnet.com.au
>   bigpond.com.au
>   tpg.com.au
>
> and I have given 100% of our users access.
>
>
> I know there is an extra field called "allow_nets", I tried this
> and failed. I did a search and found that this only works with SQL?
>
>
> Maybe I could include a script that would check the reverse DNS record
> of a connected IP and then I could filter?????
>
>
> Jobst
>
>
>
>
>

On 13/10/2010 08:08, Jobst Schmalenbach wrote:
> Is there any way to limit access to dovecot by domains.
>
> I only need to give access to a well known set of domains, all from 
> Australia and all networks are known and used either from people at 
> home or mobile access (phones, laptops etc).
Have you considered using "fail2ban" ?

This should then block calling IP addresses based on the suspiciousness 
of the activity originating from those addresses.

Also it should mean you wouldn't need to keep housekeeping the list of 
allowed networks. So people using networks you hadn't thought of, or 
people travelling abroad, would still be able to get access without 
having to bother you.

In addition it should cover the case of black hats operating out of (or 
bouncing activity through) your semi-trusted list  
{optusnet,bigpond,tpg}.com.au.

Bill

On 2010-10-13 4:23 AM, William Blunn wrote:
> Have you considered using "fail2ban" ?
+1

Works incredibly well, reliable, flexible... and best of all works for
any other services you run too (not dovecot specific)...

-- 

Best regards,

Charles

On Wed, 2010-10-13 at 18:08 +1100, Jobst Schmalenbach wrote:
> Maybe I could include a script that would check the reverse DNS record
> of a connected IP and then I could filter?????
Wonder if tcpwrappers would work? You could use that with Dovecot v2.0.

On Thu, Oct 14, 2010 at 03:31:23PM +0100, Timo Sirainen (tss at iki.fi)
wrote:
> On Wed, 2010-10-13 at 18:08 +1100, Jobst Schmalenbach wrote:
> 
> > Maybe I could include a script that would check the reverse DNS record
> > of a connected IP and then I could filter?????
> 
> Wonder if tcpwrappers would work? You could use that with Dovecot v2.0.
I have read a few things about this, it looks like its not so good to do it this
way,
besides having proper written daemons running from (x)inted is a system
overhead.


Jobst


-- 
The reason you cannot think about eternity is because the intellect which is
doing the thinking is an instrument of time and nothing else.

  | |0| |   Jobst Schmalenbach, jobst at barrett.com.au, General Manager
  | | |0|   Barrett Consulting Group P/L & The Meditation Room P/L
  |0|0|0|   +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia

> Date: Fri, 15 Oct 2010 15:09:57 +1100
 > From: Jobst Schmalenbach <jobst at barrett.com.au>
 > Subject: Re: [Dovecot] Limit access to dovecot by domains?
 > To: Timo Sirainen <tss at iki.fi>
 > Cc: dovecot at dovecot.org
 > Message-ID: <20101015040957.GA3232 at senna.barrett.com.au>
 > Content-Type: text/plain; charset=us-ascii
 >
 > On Thu, Oct 14, 2010 at 03:31:23PM +0100, Timo Sirainen (tss at iki.fi) 
wrote:
 > > > On Wed, 2010-10-13 at 18:08 +1100, Jobst Schmalenbach wrote:
 > > >
 > >> > > Maybe I could include a script that would check the
reverse
DNS record
 > >> > > of a connected IP and then I could filter?????
 > > >
 > > > Wonder if tcpwrappers would work? You could use that with
Dovecot
v2.0.
 >
 > I have read a few things about this, it looks like its not so good to 
do it this way,
 > besides having proper written daemons running from (x)inted is a 
system overhead.

Huh? What are you talking about?

If dovecot has tcpwrapper support and is compiled -DTCPWRAP then it can 
run as a standalone daemon and will consult the hosts.allow/deny files, 
no need for inetd of any type. man 3 hosts_access

man 5 hosts_access for details on tuning. Tcpwrapper tuning is far more 
powerful than people realise.