[Dovecot] LMTP ignoring tcpwrappers

Harm Weites harm at vevida.nl
Mon Jan 23 22:52:34 EET 2012


Timo Sirainen schreef op vr 20-01-2012 om 21:34 [+0200]:
> On 20.1.2012, at 0.30, Harm Weites wrote:
> 
> > we want to use dovecot LMTP for efficient mail delivery from our MX
> > servers (running postfix 2.8) to our storage servers (dovecot 2.0.17).
> > However, the one problem we see is the lack of access control when using
> > LMTP. It apears that every client in our network who has access to the
> > storage machines can drop a message in a Maildir of any user on that
> > storage server.
> 
> Is it a real problem? Can't they just as easily drop messages to other users' maildirs simply by sending the mail via SMTP?
> 
This is true, though, in that case messages or not passing our content
scanners which is something we do not want. Hence the thought of
configuring tcpwrappers, as can be done with the other two protocols, to
only allow access to LMTP from our MX servers.

> > To prevent this behaviour it would be nice to use
> > libwrap, just as it can be used for POP3/IMAP protocols.
> > This, however, seems to be impossible using the configuration as
> > mentioned on the dovecot wiki:
> > 
> > login_access_sockets = tcpwrap
> > 
> > This seems to imply it only works for a login, and LMTP does not use
> > that. The above works perfectly when trying to block access to IMAP or
> > POP3 in /etc/hosts.deny, though a setting for LMTP is simply ignored.
> 
> Right. I'm not sure if I'd even want to add such feature to LMTP. It doesn't really feel like it belongs there.
> 
Would you rather implement something completely different to cater in
access-control, or just leave things as they are now?

> > Is there a configuration setting needed for this to work for LMTP, or is
> > it simply not possible (yet) and does libwrap support for LMTP requires
> > a patch?
> 
> Not possible in Dovecot currently. You could use firewall rules.
Yes indeed, using some firewall rules and perhaps an extra vlan sounds
ok, though I would like to use something a little less low-level.




More information about the dovecot mailing list