dovecot - Aug 2011 - dovecot w/ libwrap on fbsd

Dovecot with libwrap doesn't work on FreeBSD for some reason or another.

I have these lines in my /etc/hosts.allow:
ALL: LOCAL 127.0.0.1: allow
pop3: ALL: allow

ALL: ALL: deny


Yet when you try to telnet to localhost, port 110 this is what happens:
Aug 29 22:48:38 dodo dovecot: pop3-login: Error: connect(tcpwrap) failed:
Permission denied
I also tried auth_debug=yes to see what's wrong but it only shows the
processes which handled the connection, no extra info with the reason why it
failed.

Here's the config:


# 2.0.13: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 7.4-RELEASE i386? 
auth_mechanisms = plain login
base_dir = /var/run/dovecot/
disable_plaintext_auth = no
dotlock_use_excl = no
first_valid_uid = 1000
listen = *
login_access_sockets = tcpwrap
login_greeting = 
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l %c
mail_location = mbox:~/Mail/:INBOX=/var/mail/%u
mail_log_prefix = "%Us(%u): "
mail_privileged_group = mail
maildir_copy_with_hardlinks = no
passdb {
? driver = pam
}
protocols = pop3
service auth {
? executable = /usr/local/libexec/dovecot/auth
? unix_listener /var/spool/postfix/private/auth {
??? group = postfix
??? mode = 0660
??? user = postfix
? }
? user = root
? vsz_limit = 64 M
}
service imap-login {
? chroot = login
? client_limit = 128
? process_limit = 32
? process_min_avail = 3
? service_count = 1
? user = dovecot
? vsz_limit = 32 M
}
service imap {
? drop_priv_before_exec = no
? process_limit = 128
? vsz_limit = 256 M
}
service pop3-login {
? chroot = login
? client_limit = 128
? process_limit = 32
? process_min_avail = 3
? service_count = 1
? user = dovecot
? vsz_limit = 32 M
}
service pop3 {
? drop_priv_before_exec = no
? process_limit = 128
? vsz_limit = 256 M
}
service tcpwrap {
? unix_listener login/tcpwrap {
??? group = $default_login_user
??? mode = 0600
??? user = $default_login_user
? }
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_cipher_list = ALL:!LOW
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
? driver = passwd
}
verbose_proctitle = yes
protocol imap {
? imap_client_workarounds = delay-newmail tb-extra-mailbox-sep
}
protocol pop3 {
? pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
? pop3_uidl_format = %08Xu%08Xv
}
protocol lda {
? postmaster_address = postmaster at europrima.ro
? sendmail_path = /usr/sbin/sendmail
}

On Mon, 2011-08-29 at 13:26 -0700, Gelu Lupas wrote:
> Aug 29 22:48:38 dodo dovecot: pop3-login: Error: connect(tcpwrap) failed:
Permission denied
Service permissions are set wrong.
> service imap-login {
>   user = dovecot
> }
> service pop3-login {
>   user = dovecot
> }
You have explicitly changed the login process user above.
> service tcpwrap {
>   unix_listener login/tcpwrap {
>     group = $default_login_user
This group isn't right.. The default is taken from user's default group,
so just don't set it.
>     user = $default_login_user
Here you're using default_login_user, which most likely isn't the same
as what the login processes are using ("dovecot").

So your solution is to remove the explicit user=dovecot from login
services and then possibly set default_login_user=dovecot if you really
want that (dovenull user is the default and preferred one).