Greetings,
I am looking to implement tcp wrappers with dovecot; I am using the
following two links as guides to configuration:
http://blog.acsystem.sk/linux/brute-force-attack-dovecot-imap-server-blocking-ip-with-tcp-wrappers
http://wiki2.dovecot.org/LoginProcess (you need to go to the very bottom)
I'm concerned in making the configuration correctly.
If you set
login_access_sockets = tcpwrap
in /etc/dovecot/dovecot.conf
Then everything accessing ports controlled by dovecot (and open by
iptables) is blocked.
So my question relates to the second part of the configuration examples in
the links above:
service tcpwrap {
unix_listener login/tcpwrap {
group = $default_login_user
mode = 0600
user = $default_login_user
}
}
Where does this code get placed (in dovecot.conf or in one of the files in
/etc/dovecot/conf.d)?
And regarding $default_login_user, it appears in a comment line in
/etc/dovecot/conf.d/10-master.conf
Should that line be uncommented?
Much thanks.
Max Pyziur
pyz at brama.com
Report of dovecot -n:
pyz at pangea ~> dovecot -n
# 2.1.1: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-358.2.1.el6.x86_64 x86_64 CentOS release 6.4 (Final)
disable_plaintext_auth = no
mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
location mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix }
passdb {
driver = pam
}
ssl = no
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
driver = passwd
}
On 5.4.2013, at 18.19, Max Pyziur <pyz at brama.com> wrote:> So my question relates to the second part of the configuration examples in the links above: > > service tcpwrap { > unix_listener login/tcpwrap { > group = $default_login_user > mode = 0600 > user = $default_login_user > } > } > > Where does this code get placed (in dovecot.conf or in one of the files in /etc/dovecot/conf.d)?Doesn't really matter. I'd put it into conf.d/10-master.conf which has other services.> And regarding $default_login_user, it appears in a comment line in > /etc/dovecot/conf.d/10-master.conf > > Should that line be uncommented?Just leave it uncommented and it'll use the default value (which it has been using so far already).
On Thu, 11 Apr 2013, lists-dovecot wrote:> >[... snip ...]>> >> I've put in a test ip address in /etc/hosts.deny like so: >> dovecot: 166.84.1.2 >> >> And then I execute the following from 166.84.1.2 to port 110: >> bash-3.2$ telnet SiteWhereImConfiguringDovecot 110 >> Trying SiteWhereImConfiguringDovecot... >> Connected to SiteWhereImConfiguringDovecot. >> Escape character is '^]'. >> +OK Dovecot ready. >> quit >> +OK Logging out >> Connection closed by foreign host. >> >> If dovecot is configured with tcp wrappers (which it is; built on >> a CentOS 6 system, installed and configured per instructions), >> and the firewall has ports 110 and 143 open, >> but I'm blocking a particular host through /etc/hosts.deny >> then I should not be able to telnet to either port 110 or 143; both >> requests should be blocked from the originating IP, no? >> >> Much thanks for your help, >> >> Max Pyziur >> pyz at brama.com > > > What are you using as the service name in hosts.deny? I think it > should be "imap-login:", (that's what I have as an > historical/left-over entry) but don't have dovecot configured with > wrappers on my current centos system so can't test this to be > certain. Also make certain that you don't have anything in your > hosts.allow file that would override the hosts.deny entry.I was using dovecot, until you convinced me to do otherwise. Putting pop3 in /etc/hosts.deny with the associated ip seems to work, like so: pop3: 166.84.1.2 or imap imap: 166.84.1.2 (are there any challenges to this?) Given that services such sendmail and sshd respond to sshd: xxx.xxx.xxx.xxx sendmail: xxx.xxx.xxx.xxx I thought that it should be dovecot: xxx.xxx.xxx.xxx As a suggestion, can dovecot binaries for distributions such as CentOS and Fedora be compiled with tcp wrappers by default?> - RichardMuch thanks. MP pyz at brama.com
"Max Pyziur" <pyz at brama.com> wrote:> I've put in a test ip address in /etc/hosts.deny like so: > dovecot: 166.84.1.2Maybe imap: 166.84.1.2 imaps: 166.84.1.2 pop3: 166.84.1.2 pop3s: 166.84.1.2 Joseph Tam <jtam.home at gmail.com>