[Dovecot] Domain blacklisting
Hello,
I run dovecot-2/Maildir/LDAP user/passdb and would like to be able to deny acess to users who connect from certain domains/IP (google.com for instance since in that case they gave their credentials to a third party).
My understanding is that I cannot use some negative form of "allow_nets". The only mechanism I can think of is tcp_wrappers. However, dovecot documentation mention it only in the dovecot-1 section. Does it work the same way with dovecot-2 ? Is it a bad idea (I'm thinking of the induced overhead) ? Can you see another way to blacklist (at dovecot application level) some sources ?
Thanks
-- Thomas Hummel | Institut Pasteur hummel@pasteur.fr | Pôle informatique - systèmes et réseau
On Wed, 2011-02-09 at 11:57 +0100, Thomas Hummel wrote:
My understanding is that I cannot use some negative form of "allow_nets". The only mechanism I can think of is tcp_wrappers. However, dovecot documentation mention it only in the dovecot-1 section. Does it work the same way with dovecot-2 ? Is it a bad idea (I'm thinking of the induced overhead) ? Can you see another way to blacklist (at dovecot application level) some sources ?
If tcpwrappers supports it, then it should be pretty easy with v2.0, as long as Dovecot was compiled with support for it:
login_access_sockets = tcpwrap
There is of course some extra overhead, mainly from doing a reverse DNS lookup for all connections, but since that's what you want it can't be avoided.. Or if you have some known good IP ranges, you can add e.g.:
remote 192.168.0.0/24 { login_access_sockets = }
On Thu, Feb 10, 2011 at 12:58:29AM +0200, Timo Sirainen wrote:
If tcpwrappers supports it, then it should be pretty easy with v2.0, as long as Dovecot was compiled with support for it:
login_access_sockets = tcpwrap
I tried this (dovecot is compiled with support for tcpwrappers) but I get :
doveot: imap-login: Error: connect(tcpwrap) failed: No such file or directory
Besides, my understanding is that with dovecot linked to libwrap, I can avoid spawning imap-login through inetd. Is that correct ?
Thanks
-- Thomas Hummel | Institut Pasteur hummel@pasteur.fr | Pôle informatique - systèmes et réseau
On 02/11/2011 01:05 PM Thomas Hummel wrote:
I tried this (dovecot is compiled with support for tcpwrappers) but I get :
doveot: imap-login: Error: connect(tcpwrap) failed: No such file or directory
Besides, my understanding is that with dovecot linked to libwrap, I can avoid spawning imap-login through inetd. Is that correct ?
Thanks
You have to configure also a service for the tcpwrapper:
service tcpwrap { unix_listener login/tcpwrap { group = $default_login_user mode = 0600 user = $default_login_user } }
Regards, Pascal
The trapper recommends today: fabaceae.1104213@localdomain.org
On Fri, Feb 11, 2011 at 01:11:15PM +0100, Pascal Volk wrote:
You have to configure also a service for the tcpwrapper:
service tcpwrap { unix_listener login/tcpwrap { group = $default_login_user mode = 0600 user = $default_login_user } }
Oh yes, thanks.
Also, is tcpwrap compatible with service_count = 0 in imap-login {} service ?
-- Thomas Hummel | Institut Pasteur hummel@pasteur.fr | Pôle informatique - systèmes et réseau
On Fri, 2011-02-11 at 14:19 +0100, Thomas Hummel wrote:
On Fri, Feb 11, 2011 at 01:11:15PM +0100, Pascal Volk wrote:
You have to configure also a service for the tcpwrapper:
service tcpwrap { unix_listener login/tcpwrap { group = $default_login_user mode = 0600 user = $default_login_user } }
Oh. I thought that would have been there by default. But yes, maybe it's better that it's not in there if it's not needed.
Also, is tcpwrap compatible with service_count = 0 in imap-login {} service ?
Sure.
participants (3)
-
Pascal Volk
-
Thomas Hummel
-
Timo Sirainen