How to configure dovecot imap to listen on multiple ports?

Gedalya gedalya at gedalya.net
Mon Aug 25 22:01:39 UTC 2014


On 08/25/2014 05:17 PM, Jochen Bern wrote:
> On -10.01.-28163 20:59, Gedalya wrote:
>> On 08/25/2014 08:26 AM, Jochen Bern wrote:
>>> Assuming Red Hat or similar with no conflicting iptables rules (yet),
>>> # iptables -t nat -A PREROUTING -p tcp --dport 30xxx -j DNAT --to :143
>> Since you're redirecting to a port on the same host, the following is
>> perhaps more correct:
>> iptables -t nat -A PREROUTING -p tcp --dport 30143 -j REDIRECT --to-port 143
> The operational word being "perhaps". My approach will break if the
> server does any forwarding, yours will break if dovecot listens only on
> a secondary IP address, or at least that's what the manpage I grabbed
> off a CentOS 6 says:
That REDIRECT rule can definitely not be used in that exact form if the 
machine does forwarding. It will make anyone trying to reach port xxxxx 
on any destination arrive at this IMAP server, unless you add a 
condition such as -d 192.168.x.x
Indeed, if the machine is also a router and dovecot only listens on a 
specific IP address then you would have to use DNAT to specify the 
destination IP address and port.
Perhaps the use of the word "correct" was wrong, REDIRECT is just 
typically used in such cases where the machine is anyway not a router so 
it's kind of a more readable way to say "redirect this traffic from this 
machine itself to this machine itself", although REDIRECT is generally 
intended to be used on a router to force traffic _not_ destined for this 
machine to go to this machine, e.g. setting up a transparent proxy.

So you can say:
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.11 --dport 30143 -j 
REDIRECT --to-port 143
Or:
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.11 --dport 30143 -j 
DNAT --to-destination xx.xx.xx.xx:143

The latter redirects traffic destined to a specific IP address and port, 
192.168.1.11:30143, to a specific IP address and port (presumably on the 
same host, or not..).


>
>> REDIRECT
>> [...] It redirects the packet to the machine itself by changing the
>                                                           ^^^^^^^^^^^^
>> destination IP to the primary address of the incoming interface
>    ^^^^^^^^^^^^^^^^^^^^^^#######^^^^^^^^
>> (locally-generated packets are mapped to the 127.0.0.1 address).
> Regards,
> 								J. Bern



More information about the dovecot mailing list