[Dovecot] Limit access to dovecot by domains?
Hi.
Is there any way to limit access to dovecot by domains.
I only need to give access to a well known set of domains, all from Australia and all networks are known and used either from people at home or mobile access (phones, laptops etc).
iptables is not possible as e.g. OPTUS does not give away all of the networks mobile phones are connected to. I know some, but not all.
It would be much nicer and easier to allow
optusnet.com.au bigpond.com.au tpg.com.au
and I have given 100% of our users access.
I know there is an extra field called "allow_nets", I tried this and failed. I did a search and found that this only works with SQL?
Maybe I could include a script that would check the reverse DNS record of a connected IP and then I could filter?????
Jobst
-- Why is the man who invests all your money called a broker?
| |0| | Jobst Schmalenbach, jobst@barrett.com.au, General Manager | | |0| Barrett Consulting Group P/L & The Meditation Room P/L |0|0|0| +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia
use the connect-acl script at http://www.linux.org.py/wiki/howto/dovecot_connect_acl
or, the post-login script at http://wiki.dovecot.org/PostLoginScripting
(side note, http://spameatingmonkey.com/ Geo blacklist, for similar reasons but blocking outsider countries like oh say, china users that like to brute force)
On 10/13/2010 03:08 AM, Jobst Schmalenbach wrote:
Hi.
Is there any way to limit access to dovecot by domains.
I only need to give access to a well known set of domains, all from Australia and all networks are known and used either from people at home or mobile access (phones, laptops etc).
iptables is not possible as e.g. OPTUS does not give away all of the networks mobile phones are connected to. I know some, but not all.
It would be much nicer and easier to allow
optusnet.com.au bigpond.com.au tpg.com.au
and I have given 100% of our users access.
I know there is an extra field called "allow_nets", I tried this and failed. I did a search and found that this only works with SQL?
Maybe I could include a script that would check the reverse DNS record of a connected IP and then I could filter?????
Jobst
On 13/10/2010 08:08, Jobst Schmalenbach wrote:
Is there any way to limit access to dovecot by domains.
I only need to give access to a well known set of domains, all from Australia and all networks are known and used either from people at home or mobile access (phones, laptops etc).
Have you considered using "fail2ban" ?
This should then block calling IP addresses based on the suspiciousness of the activity originating from those addresses.
Also it should mean you wouldn't need to keep housekeeping the list of allowed networks. So people using networks you hadn't thought of, or people travelling abroad, would still be able to get access without having to bother you.
In addition it should cover the case of black hats operating out of (or
bouncing activity through) your semi-trusted list
{optusnet,bigpond,tpg}.com.au.
Bill
On Thu, Oct 14, 2010 at 03:31:23PM +0100, Timo Sirainen (tss@iki.fi) wrote:
On Wed, 2010-10-13 at 18:08 +1100, Jobst Schmalenbach wrote:
Maybe I could include a script that would check the reverse DNS record of a connected IP and then I could filter?????
Wonder if tcpwrappers would work? You could use that with Dovecot v2.0.
I have read a few things about this, it looks like its not so good to do it this way, besides having proper written daemons running from (x)inted is a system overhead.
Jobst
-- The reason you cannot think about eternity is because the intellect which is doing the thinking is an instrument of time and nothing else.
| |0| | Jobst Schmalenbach, jobst@barrett.com.au, General Manager | | |0| Barrett Consulting Group P/L & The Meditation Room P/L |0|0|0| +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia
On Fri, 2010-10-15 at 15:09 +1100, Jobst Schmalenbach wrote:
Maybe I could include a script that would check the reverse DNS record of a connected IP and then I could filter?????
Wonder if tcpwrappers would work? You could use that with Dovecot v2.0.
I have read a few things about this, it looks like its not so good to do it this way, besides having proper written daemons running from (x)inted is a system overhead.
You don't need to run Dovecot from inetd to use tcpwrappers in v2.0. You actually can't even do that. There are separate tcpwrap processes that perform the access lookups.
participants (5)
-
Charles Marcus
-
David Ford
-
Jobst Schmalenbach
-
Timo Sirainen
-
William Blunn