I use a tinc vpn mesh between the nodes. iptables only allows the nodes to talk to each on port 655, all else is dropped. Works well. I also have a setup using zerotier for the same thing - my ansible deployment playbook will use either one.
DC.
On 2023-05-14 11:29 am, Daniel Miller via dovecot wrote:
I only allow explicit service traffic through. IMAPS, SMTPS, etc. If doveadm is communicating via the IMAP(S) ports then all I can do via firewall is block countries. Which of course I can but I'm asking about any additional hardening for Dovecot itself.
-- Daniel
On May 13, 2023 6:25:06 PM jeremy ardley via dovecot <dovecot@dovecot.org> wrote:
On 14/5/23 09:14, Daniel L. Miller via dovecot wrote:
May 12 15:45:58 cloud1 dovecot: doveadm(194.165.16.78): Error: doveadm client not compatible with this server (mixed old and new binaries?) May 13 03:44:31 cloud1 dovecot: doveadm(45.227.254.48): Error: doveadm client not compatible with this server (mixed old and new binaries?)
Since I don't recognize those IPs, the first is out of Panama and the other is Belize, I assume these are hostile attackers trying to exploit something. How can I defend against this?
Set up a firewall rule that only allows access from an IP range you control. For any other source, simply drop the connection.
You can get really fancy and use port forwarding using ssh to connect from remote but appear as localhost to the server. This access can be configured in dovecot as well as firewall
Jeremy
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org