[Dovecot] Configuring dovecot to use tcp wrappers
Greetings,
I am looking to implement tcp wrappers with dovecot; I am using the following two links as guides to configuration: http://blog.acsystem.sk/linux/brute-force-attack-dovecot-imap-server-blockin... http://wiki2.dovecot.org/LoginProcess (you need to go to the very bottom)
I'm concerned in making the configuration correctly.
If you set login_access_sockets = tcpwrap in /etc/dovecot/dovecot.conf
Then everything accessing ports controlled by dovecot (and open by iptables) is blocked.
So my question relates to the second part of the configuration examples in the links above:
service tcpwrap { unix_listener login/tcpwrap { group = $default_login_user mode = 0600 user = $default_login_user } }
Where does this code get placed (in dovecot.conf or in one of the files in /etc/dovecot/conf.d)? And regarding $default_login_user, it appears in a comment line in /etc/dovecot/conf.d/10-master.conf
Should that line be uncommented?
Much thanks.
Max Pyziur pyz@brama.com
Report of dovecot -n: pyz@pangea ~> dovecot -n # 2.1.1: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-358.2.1.el6.x86_64 x86_64 CentOS release 6.4 (Final) disable_plaintext_auth = no mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } ssl = no ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem userdb { driver = passwd }
On 5.4.2013, at 18.19, Max Pyziur <pyz@brama.com> wrote:
So my question relates to the second part of the configuration examples in the links above:
service tcpwrap { unix_listener login/tcpwrap { group = $default_login_user mode = 0600 user = $default_login_user } }
Where does this code get placed (in dovecot.conf or in one of the files in /etc/dovecot/conf.d)?
Doesn't really matter. I'd put it into conf.d/10-master.conf which has other services.
And regarding $default_login_user, it appears in a comment line in /etc/dovecot/conf.d/10-master.conf
Should that line be uncommented?
Just leave it uncommented and it'll use the default value (which it has been using so far already).
On 5.4.2013, at 18.19, Max Pyziur <pyz@brama.com> wrote:
So my question relates to the second part of the configuration examples in the links above:
service tcpwrap { unix_listener login/tcpwrap { group = $default_login_user mode = 0600 user = $default_login_user } }
Where does this code get placed (in dovecot.conf or in one of the files in /etc/dovecot/conf.d)?
Doesn't really matter. I'd put it into conf.d/10-master.conf which has other services.
And regarding $default_login_user, it appears in a comment line in /etc/dovecot/conf.d/10-master.conf
Should that line be uncommented?
Just leave it uncommented and it'll use the default value (which it has been using so far already).
Much thanks for your reply.
However, once I make the changes to the configuration files, I get the following error when restarting dovecot: root@brama /etc/dovecot/conf.d> service dovecot restart Stopping Dovecot Imap: [ OK ] Starting Dovecot Imap: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf: service(tcpwrap): executable is empty [FAILED]
Any advice on how to proceed?
Thank you again,
Max Pyziur pyz@brama.com
On 8.4.2013, at 1.31, "Max Pyziur" <pyz@brama.com> wrote:
However, once I make the changes to the configuration files, I get the following error when restarting dovecot: root@brama /etc/dovecot/conf.d> service dovecot restart Stopping Dovecot Imap: [ OK ] Starting Dovecot Imap: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf: service(tcpwrap): executable is empty [FAILED]
You most likely didn't compile Dovecot with tcpwrap support. See if you have /usr/lib*/dovecot/tcpwrap binary?
On Mon, 8 Apr 2013, Timo Sirainen wrote:
On 8.4.2013, at 1.31, "Max Pyziur" <pyz@brama.com> wrote:
However, once I make the changes to the configuration files, I get the following error when restarting dovecot: root@brama /etc/dovecot/conf.d> service dovecot restart Stopping Dovecot Imap: [ OK ] Starting Dovecot Imap: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf: service(tcpwrap): executable is empty [FAILED]
You most likely didn't compile Dovecot with tcpwrap support. See if you have /usr/lib*/dovecot/tcpwrap binary?
Any idea, then, as to where those CentOS dovecot src.rpms are kept?
Max Pyziur pyz@brama.com
On Sun, 7 Apr 2013, Max Pyziur wrote:
On Mon, 8 Apr 2013, Timo Sirainen wrote:
On 8.4.2013, at 1.31, "Max Pyziur" <pyz@brama.com> wrote:
However, once I make the changes to the configuration files, I get the following error when restarting dovecot: root@brama /etc/dovecot/conf.d> service dovecot restart Stopping Dovecot Imap: [ OK ] Starting Dovecot Imap: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf: service(tcpwrap): executable is empty [FAILED]
You most likely didn't compile Dovecot with tcpwrap support. See if you have /usr/lib*/dovecot/tcpwrap binary?
Any idea, then, as to where those CentOS dovecot src.rpms are kept?
Yanking my own chain: http://vault.centos.org/6.4/updates/Source/SPackages/
Max Pyziur pyz@brama.com [...recycle ...]
On 5.4.2013, at 18.19, Max Pyziur <pyz@brama.com> wrote:
So my question relates to the second part of the configuration examples in the links above:
service tcpwrap { unix_listener login/tcpwrap { group = $default_login_user mode = 0600 user = $default_login_user } }
Where does this code get placed (in dovecot.conf or in one of the files in /etc/dovecot/conf.d)?
Doesn't really matter. I'd put it into conf.d/10-master.conf which has other services.
And regarding $default_login_user, it appears in a comment line in /etc/dovecot/conf.d/10-master.conf
Should that line be uncommented?
Just leave it uncommented and it'll use the default value (which it has been using so far already).
After some delay, I'm returning to this project.
I've made the changes per above.
I've put in a test ip address in /etc/hosts.deny like so: dovecot: 166.84.1.2
And then I execute the following from 166.84.1.2 to port 110: bash-3.2$ telnet SiteWhereImConfiguringDovecot 110 Trying SiteWhereImConfiguringDovecot... Connected to SiteWhereImConfiguringDovecot. Escape character is '^]'. +OK Dovecot ready. quit +OK Logging out Connection closed by foreign host.
If dovecot is configured with tcp wrappers (which it is; built on a CentOS 6 system, installed and configured per instructions), and the firewall has ports 110 and 143 open, but I'm blocking a particular host through /etc/hosts.deny then I should not be able to telnet to either port 110 or 143; both requests should be blocked from the originating IP, no?
Much thanks for your help,
Max Pyziur pyz@brama.com
participants (2)
-
Max Pyziur
-
Timo Sirainen