Thank you Jeremy and Bernardo.

Adding cert verification is something I'll have to delve into. Also possibly pushing the replication through the VPN.

It's been a while since I last setup my replication pair - everything's been working smoothly so I've forgotten some of the key items. Particularly the need to open an explicit port for the doveadm connection - which of course I do have on a non-standard port and up till now it hasn't been an issue. I was fighting multiple config issues at the time - including network setup - so I left the communication purely through the external IP's instead of being VPN dependent. I may change that.

Fail2ban and other guards have blocked most port scanning and other junk - this was the first time I saw such log lines in my mail log and it scared me. Now I know what to look for and what it means. Thanks again.

--
Daniel


------ Original Message ------
From "jeremy ardley via dovecot" <dovecot@dovecot.org>
To dovecot@dovecot.org
Date 5/14/2023 4:03:28 PM
Subject Re: Possible hack via doveadm


On 14/5/23 23:29, Daniel Miller via dovecot wrote:
I only allow explicit service traffic through. IMAPS, SMTPS, etc. If doveadm is communicating via the IMAP(S) ports then all I can do via firewall is block countries. Which of course I can but I'm asking about any additional hardening for Dovecot itself.


You can set up a doveadm service that requires client certificates

service doveadm {
  inet_listener {
    port = 12345
  }
  ssl = yes
  ssl_cert = </etc/dovecot/dovecot.pem
  ssl_key = </etc/dovecot/private/dovecot.pem
  ssl_verify_client_cert = yes
  auth_ssl_require_client_cert = yes
}


Jeremy