Hello, I run dovecot-2/Maildir/LDAP user/passdb and would like to be able to deny acess to users who connect from certain domains/IP (google.com for instance since in that case they gave their credentials to a third party). My understanding is that I cannot use some negative form of "allow_nets". The only mechanism I can think of is tcp_wrappers. However, dovecot documentation mention it only in the dovecot-1 section. Does it work the same way with dovecot-2 ? Is it a bad idea (I'm thinking of the induced overhead) ? Can you see another way to blacklist (at dovecot application level) some sources ? Thanks -- Thomas Hummel | Institut Pasteur <hummel at pasteur.fr> | P?le informatique - syst?mes et r?seau
On Wed, 2011-02-09 at 11:57 +0100, Thomas Hummel wrote:> My understanding is that I cannot use some negative form of "allow_nets". The > only mechanism I can think of is tcp_wrappers. However, dovecot documentation > mention it only in the dovecot-1 section. Does it work the same way with dovecot-2 ? > Is it a bad idea (I'm thinking of the induced overhead) ? > Can you see another way to blacklist (at dovecot application level) some sources ?If tcpwrappers supports it, then it should be pretty easy with v2.0, as long as Dovecot was compiled with support for it: login_access_sockets = tcpwrap There is of course some extra overhead, mainly from doing a reverse DNS lookup for all connections, but since that's what you want it can't be avoided.. Or if you have some known good IP ranges, you can add e.g.: remote 192.168.0.0/24 { login_access_sockets }
On Thu, Feb 10, 2011 at 12:58:29AM +0200, Timo Sirainen wrote:> If tcpwrappers supports it, then it should be pretty easy with v2.0, as > long as Dovecot was compiled with support for it: > > login_access_sockets = tcpwrapI tried this (dovecot is compiled with support for tcpwrappers) but I get : doveot: imap-login: Error: connect(tcpwrap) failed: No such file or directory Besides, my understanding is that with dovecot linked to libwrap, I can avoid spawning imap-login through inetd. Is that correct ? Thanks -- Thomas Hummel | Institut Pasteur <hummel at pasteur.fr> | P?le informatique - syst?mes et r?seau
On 02/11/2011 01:05 PM Thomas Hummel wrote:> I tried this (dovecot is compiled with support for tcpwrappers) but I get : > > doveot: imap-login: Error: connect(tcpwrap) failed: No such file or directory > > Besides, my understanding is that with dovecot linked to libwrap, I can > avoid spawning imap-login through inetd. Is that correct ? > > Thanks >You have to configure also a service for the tcpwrapper: service tcpwrap { unix_listener login/tcpwrap { group = $default_login_user mode = 0600 user = $default_login_user } } Regards, Pascal -- The trapper recommends today: fabaceae.1104213 at localdomain.org
On Fri, Feb 11, 2011 at 01:11:15PM +0100, Pascal Volk wrote:> You have to configure also a service for the tcpwrapper: > > service tcpwrap { > unix_listener login/tcpwrap { > group = $default_login_user > mode = 0600 > user = $default_login_user > } > }Oh yes, thanks. Also, is tcpwrap compatible with service_count = 0 in imap-login {} service ? -- Thomas Hummel | Institut Pasteur <hummel at pasteur.fr> | P?le informatique - syst?mes et r?seau