[Dovecot] dovecot and tcpwrappers
Hi,
I used dovecot 1.x for quite a while and it worked fine. However, I used it through inetd and used hosts.allow/deny to restrict access to only certain groups of systems.
Since yesterday I have dovecot 2.0.13. But in version 2.0.13 it seems that starting using inetd doesn't work anymore : I only get a strange error message if I try to connect using telnet :
telnet localhost imap doveconf: Fatal: execvp(imap-login) failed: No such file or directory
I tried a lot of things but couldn't get it going over inetd so I decided to start it directly using an init script, also because you say in the wiki this is (now) the preferred method.
That indeed works fine, but I realised today that dovecot is now completely ignoring all my hosts.allow/deny settings and so is worldwide accessible !
Is dovecot indeed ignoring hosts.allow/deny ? And if so, how can I have the same amount of protection as I previously had with dovecot 1.x over inetd ?
BTW: I tried to post on the mailinglist but it seems I can't access them it the moment, altough I did subscribe and login. Is there anything wrong ?
Thanks for your reply !
-- With best regards, Kees Lemmens.
Delft Institute of Applied Mathematics (DIAM), Faculty Electrical Engineering, Mathematics and Computer Science, Delft University of Technology, Delft, The Netherlands,
On Wed, 2011-07-27 at 14:16 +0200, Kees Lemmens wrote:
Since yesterday I have dovecot 2.0.13. But in version 2.0.13 it seems that starting using inetd doesn't work anymore : I only get a strange error message if I try to connect using telnet :
Yeah, won't work.
Is dovecot indeed ignoring hosts.allow/deny ?
Yes. But you can enable tcpwrappers with:
login_access_sockets = tcpwrap
BTW: I tried to post on the mailinglist but it seems I can't access them it the moment, altough I did subscribe and login. Is there anything wrong ?
Nothing's wrong as far as I know..
Hi Timo,
Thanks for the prompt answer ! This solves a large security for me ;-)
Any idea why the inetd path is not working anymore in 2.x or is that already somewhere else in the list ?
On Wednesday, July 27, 2011, Timo Sirainen wrote:
On Wed, 2011-07-27 at 14:16 +0200, Kees Lemmens wrote:
Since yesterday I have dovecot 2.0.13. But in version 2.0.13 it seems that starting using inetd doesn't work anymore : I only get a strange
error message if I try to connect using telnet : Yeah, won't work.
Is dovecot indeed ignoring hosts.allow/deny ?
Yes. But you can enable tcpwrappers with:
login_access_sockets = tcpwrap
BTW: I tried to post on the mailinglist but it seems I can't access them it the moment, altough I did subscribe and login. Is there anything wrong ?
Nothing's wrong as far as I know..
I can access the archives and receive the mailings now but if I click on http://dovecot.org/mailman/listinfo (which is somewhere on the starting page) I only get this :
Not Found The requested URL /mailman/listinfo was not found on this server.
Apache/2.2.3 (CentOS) Server at dovecot.org Port 80
-- With best regards, Kees Lemmens.
Hi Timo,others,
Adding login_access_sockets = tcpwrap wasn't enough : I also had to recompile dovecot 2.0.13 with the --with-libwrap option. Then linking failed as it didn't link with libnsl.so but that was easily fixed.
However, if I try to connect now with tcpwrap switched on I still have a problem. It doesn't connect and shows the following error message :
tail /var/log/dovecot.log Jul 27 15:05:42 auth: Debug: Loading modules from directory: /opt64/dovecot-2.0.13/lib/dovecot/auth Jul 27 15:05:44 auth: Debug: auth client connected (pid=20071) Jul 27 15:05:44 imap-login: Error: connect(tcpwrap) failed: No such file or directory
Any idea what I might have forgotten ?
Thanks a lot for the response !
regards, Kees Lemmens.
On Wednesday, July 27, 2011, Timo Sirainen wrote:
On Wed, 2011-07-27 at 14:16 +0200, Kees Lemmens wrote:
Since yesterday I have dovecot 2.0.13. But in version 2.0.13 it seems that starting using inetd doesn't work anymore : I only get a strange
error message if I try to connect using telnet : Yeah, won't work.
Is dovecot indeed ignoring hosts.allow/deny ?
Yes. But you can enable tcpwrappers with:
login_access_sockets = tcpwrap
BTW: I tried to post on the mailinglist but it seems I can't access them it the moment, altough I did subscribe and login. Is there anything wrong ?
Nothing's wrong as far as I know..
-- With best regards, Kees Lemmens.
Delft Institute of Applied Mathematics (DIAM), Faculty Electrical Engineering, Mathematics and Computer Science, Delft University of Technology, PO Box 5031, NL-2600 GA, Delft, The Netherlands, PHONE: +3115-2787224, ROOM: 05.140.
Hi,
I think I sorted it out : I also had to add a service section to dovecot.conf and I had to change the old "imap-login" settings in /etc./hosts.allow to be simply "imap" now.
service tcpwrap {
unix_listener login/tcpwrap {
group = $default_login_user
mode = 0600
user = $default_login_user
}
}
After this it seems to work fine !
Timo : maybe this could be documented a little better ? It took me quite a while now to figure it all out.
About the "not running from inetd" problem : would it be enough to copy the modules to the chrooted directory to avoid this connect(imap-login) problem ?
regards, Kees Lemmens.
On Wednesday, July 27, 2011, Kees Lemmens wrote:
Hi Timo,others,
Adding login_access_sockets = tcpwrap wasn't enough : I also had to recompile dovecot 2.0.13 with the --with-libwrap option. Then linking failed as it didn't link with libnsl.so but that was easily fixed.
However, if I try to connect now with tcpwrap switched on I still have a problem. It doesn't connect and shows the following error message :
tail /var/log/dovecot.log Jul 27 15:05:42 auth: Debug: Loading modules from directory: /opt64/dovecot-2.0.13/lib/dovecot/auth Jul 27 15:05:44 auth: Debug: auth client connected (pid=20071) Jul 27 15:05:44 imap-login: Error: connect(tcpwrap) failed: No such file or directory
Any idea what I might have forgotten ?
Thanks a lot for the response !
regards, Kees Lemmens.
On Wednesday, July 27, 2011, Timo Sirainen wrote:
On Wed, 2011-07-27 at 14:16 +0200, Kees Lemmens wrote:
Since yesterday I have dovecot 2.0.13. But in version 2.0.13 it seems that starting using inetd doesn't work anymore : I only get a strange
error message if I try to connect using telnet : Yeah, won't work.
Is dovecot indeed ignoring hosts.allow/deny ?
Yes. But you can enable tcpwrappers with:
login_access_sockets = tcpwrap
BTW: I tried to post on the mailinglist but it seems I can't access them it the moment, altough I did subscribe and login. Is there anything wrong ?
Nothing's wrong as far as I know..
-- With best regards, Kees Lemmens.
Email : lemmens<underscore>kees<at>yahoo<dot>co<dot>uk
NOTICE : to minimize spam I'll trash HTML based email immediately ... BTW : Ceterum Censeo Microsoftem esse Delendam
On Wed, 2011-07-27 at 15:39 +0200, Kees Lemmens wrote:
I think I sorted it out : I also had to add a service section to dovecot.conf and I had to change the old "imap-login" settings in /etc./hosts.allow to be simply "imap" now. .. Timo : maybe this could be documented a little better ? It took me quite a while now to figure it all out.
Yeah, I've just been too busy.. I added it now to http://wiki2.dovecot.org/LoginProcess
About the "not running from inetd" problem : would it be enough to copy the modules to the chrooted directory to avoid this connect(imap-login) problem ?
I've removed all the code necessary for running from inetd. It was horribly ugly code and I never liked it. There's not going to be any easy way to add it back.
participants (3)
-
Kees Lemmens
-
Kees Lemmens
-
Timo Sirainen