On Wed, 2011-02-09 at 11:57 +0100, Thomas Hummel wrote:
My understanding is that I cannot use some negative form of "allow_nets". The only mechanism I can think of is tcp_wrappers. However, dovecot documentation mention it only in the dovecot-1 section. Does it work the same way with dovecot-2 ? Is it a bad idea (I'm thinking of the induced overhead) ? Can you see another way to blacklist (at dovecot application level) some sources ?
If tcpwrappers supports it, then it should be pretty easy with v2.0, as long as Dovecot was compiled with support for it:
login_access_sockets = tcpwrap
There is of course some extra overhead, mainly from doing a reverse DNS lookup for all connections, but since that's what you want it can't be avoided.. Or if you have some known good IP ranges, you can add e.g.:
remote 192.168.0.0/24 { login_access_sockets = }