I use a tinc vpn mesh between the nodes.  iptables only allows the nodes to talk to each on port 655, all else is dropped.  Works well.  I also have a setup using zerotier for the same thing - my ansible deployment playbook will use either one.

DC.

On 2023-05-14 11:29 am, Daniel Miller via dovecot wrote:

I only allow explicit service traffic through. IMAPS, SMTPS, etc. If doveadm is communicating via the IMAP(S) ports then all I can do via firewall is block countries. Which of course I can but I'm asking about any additional hardening for Dovecot itself.

 

--

Daniel

 

On May 13, 2023 6:25:06 PM jeremy ardley via dovecot <dovecot@dovecot.org> wrote:

 

On 14/5/23 09:14, Daniel L. Miller via dovecot wrote:

 

May 12 15:45:58 cloud1 dovecot: doveadm(194.165.16.78): Error: doveadm 

client not compatible with this server (mixed old and new binaries?)

May 13 03:44:31 cloud1 dovecot: doveadm(45.227.254.48): Error: doveadm 

client not compatible with this server (mixed old and new binaries?)

 

Since I don't recognize those IPs, the first is out of Panama and the 

other is Belize, I assume these are hostile attackers trying to 

exploit something. How can I defend against this?

 

Set up a firewall rule that only allows access from an IP range you 

control. For any other source, simply drop the connection.

 

You can get really fancy and use port forwarding using ssh to connect 

from remote but appear as localhost to the server. This access can be 

configured in dovecot as well as firewall

 

 

Jeremy

_______________________________________________

dovecot mailing list -- dovecot@dovecot.org

To unsubscribe send an email to dovecot-leave@dovecot.org

 

_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.org