dovecot - Apr 2013 - Configuring dovecot to use tcp wrappers

Greetings,

I am looking to implement tcp wrappers with dovecot; I am using the 
following two links as guides to configuration:
http://blog.acsystem.sk/linux/brute-force-attack-dovecot-imap-server-blocking-ip-with-tcp-wrappers
http://wiki2.dovecot.org/LoginProcess (you need to go to the very bottom)

I'm concerned in making the configuration correctly.

If you set
login_access_sockets = tcpwrap
in /etc/dovecot/dovecot.conf

Then everything accessing ports controlled by dovecot (and open by 
iptables) is blocked.

So my question relates to the second part of the configuration examples in 
the links above:

service tcpwrap {
   unix_listener login/tcpwrap {
     group = $default_login_user
     mode = 0600
     user = $default_login_user
   }
}

Where does this code get placed (in dovecot.conf or in one of the files in 
/etc/dovecot/conf.d)?
And regarding $default_login_user, it appears in a comment line in
/etc/dovecot/conf.d/10-master.conf

Should that line be uncommented?

Much thanks.

Max Pyziur
pyz at brama.com


Report of dovecot -n:
pyz at pangea ~> dovecot -n
# 2.1.1: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-358.2.1.el6.x86_64 x86_64 CentOS release 6.4 (Final)
disable_plaintext_auth = no
mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u
mbox_write_locks = fcntl
namespace inbox {
   inbox = yes
   location    mailbox Drafts {
     special_use = \Drafts
   }
   mailbox Junk {
     special_use = \Junk
   }
   mailbox Sent {
     special_use = \Sent
   }
   mailbox "Sent Messages" {
     special_use = \Sent
   }
   mailbox Trash {
     special_use = \Trash
   }
   prefix }
passdb {
   driver = pam
}
ssl = no
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
   driver = passwd
}

On 5.4.2013, at 18.19, Max Pyziur <pyz at brama.com> wrote:
> So my question relates to the second part of the configuration examples in
the links above:
> 
> service tcpwrap {
>  unix_listener login/tcpwrap {
>    group = $default_login_user
>    mode = 0600
>    user = $default_login_user
>  }
> }
> 
> Where does this code get placed (in dovecot.conf or in one of the files in
/etc/dovecot/conf.d)?
Doesn't really matter. I'd put it into conf.d/10-master.conf which has
other services.
> And regarding $default_login_user, it appears in a comment line in
> /etc/dovecot/conf.d/10-master.conf
> 
> Should that line be uncommented?
Just leave it uncommented and it'll use the default value (which it has been
using so far already).

On Thu, 11 Apr 2013, lists-dovecot wrote:
>
>
[... snip ...]
>>
>> I've put in a test ip address in /etc/hosts.deny like so:
>> dovecot: 166.84.1.2
>>
>> And then I execute the following from 166.84.1.2 to port 110:
>> bash-3.2$ telnet SiteWhereImConfiguringDovecot 110
>> Trying SiteWhereImConfiguringDovecot...
>> Connected to SiteWhereImConfiguringDovecot.
>> Escape character is '^]'.
>> +OK Dovecot ready.
>> quit
>> +OK Logging out
>> Connection closed by foreign host.
>>
>> If dovecot is configured with tcp wrappers (which it is; built on
>> a CentOS 6 system, installed and configured per instructions),
>> and the firewall has ports 110 and 143 open,
>> but I'm blocking a particular host through /etc/hosts.deny
>> then I should not be able to telnet to either port 110 or 143; both
>> requests should be blocked from the originating IP, no?
>>
>> Much thanks for your help,
>>
>> Max Pyziur
>> pyz at brama.com
>
>
> What are you using as the service name in hosts.deny? I think it
> should be "imap-login:", (that's what I have as an
> historical/left-over entry) but don't have dovecot configured with
> wrappers on my current centos system so can't test this to be
> certain. Also make certain that you don't have anything in your
> hosts.allow file that would override the hosts.deny entry.
I was using dovecot, until you convinced me to do otherwise.

Putting pop3 in /etc/hosts.deny with the associated ip seems to work, like 
so:
pop3: 166.84.1.2

or imap
imap: 166.84.1.2

(are there any challenges to this?)

Given that services such sendmail and sshd respond to
sshd: xxx.xxx.xxx.xxx
sendmail: xxx.xxx.xxx.xxx

I thought that it should be dovecot: xxx.xxx.xxx.xxx


As a suggestion, can dovecot binaries for distributions such as CentOS and 
Fedora be compiled with tcp wrappers by default?

>   - Richard
Much thanks.

MP
pyz at brama.com

"Max Pyziur" <pyz at brama.com> wrote:
> I've put in a test ip address in /etc/hosts.deny like so:
> dovecot: 166.84.1.2
Maybe

 	imap: 166.84.1.2
 	imaps: 166.84.1.2
 	pop3: 166.84.1.2
 	pop3s: 166.84.1.2

Joseph Tam <jtam.home at gmail.com>