List, we are planning a new configuration to which we'll migrate an
existing installation shortly. We are hoping to use Dovecot LMTP and
have a query about the wiki entry for LMTP
http://wiki2.dovecot.org/LMTP
where it suggests this config:
service lmtp {
inet_listener lmtp {
address = 192.168.0.24 127.0.0.1 ::1
port = 24
}
Does this example mean that LMTP will only listen for input messages
from the interface with IP address 192.168.0.24 (plus localhost)? If
so, I probably haven't understood how LMTP is intended to work. Is
there a reason why we want to limit LMTP to listening for messages
from a specific IP on the network? I need to understand that so that
I replace ...24 with a suitable host interface that exists on our LAN
(we don't have a host at 192.168.0.24).
Apologies for what must seem, to people using LMTP, a very basic
question. Nevertheless, I would be grateful for any clarification.
regards, Ron
Am 14.11.2014 um 15:15 schrieb Ron Leach:> List, we are planning a new configuration to which we'll migrate an > existing installation shortly. We are hoping to use Dovecot LMTP and > have a query about the wiki entry for LMTP > > http://wiki2.dovecot.org/LMTP > > where it suggests this config: > > service lmtp { > inet_listener lmtp { > address = 192.168.0.24 127.0.0.1 ::1 > port = 24 > } > > Does this example mean that LMTP will only listen for input messages > from the interface with IP address 192.168.0.24 (plus localhost)? If > so, I probably haven't understood how LMTP is intended to work. Is > there a reason why we want to limit LMTP to listening for messages from > a specific IP on the network?no - it *listens* on that IP's the "address" exists for all other services too a server likely has more than one interface / IP you don't need to have lmtpd listen on any IP in most cases or better said in most cases 127.0.0.1 is just enough because the MTA is running on the same machine if it comes to security you have two choices: * reject a port from anything but localhost * just have the service not listening so it don't need to be protected which is they way to go on a machine with more than one NIC (public interface and LAN) you have hardly a reason lmtpd listening on the WAN interface but on the to the LAN connected one where 1, 2, 20 MTA's deliver their messages ________________________________________________________ other practical example: * dovecot is acting as proxy * on the same machine dbmail is listening on 127.0.0.1:143 and 127.0.0.1:110 - so both can use the standard port service imap-login { inet_listener imap { address = 192.168.196.2 port = 143 } service pop3-login { inet_listener imap { address = 192.168.196.2 port = 110 } -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20141114/4ae913bf/attachment-0001.sig>
Hello Ron, On 14/11/2014 15:15, Ron Leach wrote:> > Does this example mean that LMTP will only listen for input messages > from the interface with IP address 192.168.0.24 (plus localhost)? If > so, I probably haven't understood how LMTP is intended to work. Is > there a reason why we want to limit LMTP to listening for messages > from a specific IP on the network? I need to understand that so that > I replace ...24 with a suitable host interface that exists on our LAN > (we don't have a host at 192.168.0.24). >No, it *listens* on that addresses (port 24) LMTP is intended for local mail transfer. The best way to use it, if dovecot LDA and MTA are on the same machine, is to use a unix socket like this (example for postfix): service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } if you prefer to use an inet listener, do it only for the needed addresses (not public / internet faced ones) or reject unauthorized networks. -FM