[Dovecot] dovecot and tcpwrappers
Hi,
I used dovecot 1.x for quite a while and it worked fine. However, I used it through inetd and used hosts.allow/deny to restrict access to only certain groups of systems.
Since yesterday I have dovecot 2.0.13. But in version 2.0.13 it seems that starting using inetd doesn't work anymore : I only get a strange error message if I try to connect using telnet :
telnet localhost imap doveconf: Fatal: execvp(imap-login) failed: No such file or directory
I tried a lot of things but couldn't get it going over inetd so I decided to start it directly using an init script, also because you say in the wiki this is (now) the preferred method.
That indeed works fine, but I realised today that dovecot is now completely ignoring all my hosts.allow/deny settings and so is worldwide accessible !
Is dovecot indeed ignoring hosts.allow/deny ? And if so, how can I have the same amount of protection as I previously had with dovecot 1.x over inetd ?
BTW: I tried to post on the mailinglist but it seems I can't access them it the moment, altough I did subscribe and login. Is there anything wrong ?
Thanks for your reply !
-- With best regards, Kees Lemmens.
Delft Institute of Applied Mathematics (DIAM), Faculty Electrical Engineering, Mathematics and Computer Science, Delft University of Technology, Delft, The Netherlands,
Hi Timo,
Thanks for the prompt answer ! This solves a large security for me ;-)
Any idea why the inetd path is not working anymore in 2.x or is that already somewhere else in the list ?
On Wednesday, July 27, 2011, Timo Sirainen wrote:
I can access the archives and receive the mailings now but if I click on http://dovecot.org/mailman/listinfo (which is somewhere on the starting page) I only get this :
Not Found The requested URL /mailman/listinfo was not found on this server.
Apache/2.2.3 (CentOS) Server at dovecot.org Port 80
-- With best regards, Kees Lemmens.
Hi Timo,others,
Adding login_access_sockets = tcpwrap wasn't enough : I also had to recompile dovecot 2.0.13 with the --with-libwrap option. Then linking failed as it didn't link with libnsl.so but that was easily fixed.
However, if I try to connect now with tcpwrap switched on I still have a problem. It doesn't connect and shows the following error message :
tail /var/log/dovecot.log Jul 27 15:05:42 auth: Debug: Loading modules from directory: /opt64/dovecot-2.0.13/lib/dovecot/auth Jul 27 15:05:44 auth: Debug: auth client connected (pid=20071) Jul 27 15:05:44 imap-login: Error: connect(tcpwrap) failed: No such file or directory
Any idea what I might have forgotten ?
Thanks a lot for the response !
regards, Kees Lemmens.
On Wednesday, July 27, 2011, Timo Sirainen wrote:
-- With best regards, Kees Lemmens.
Delft Institute of Applied Mathematics (DIAM), Faculty Electrical Engineering, Mathematics and Computer Science, Delft University of Technology, PO Box 5031, NL-2600 GA, Delft, The Netherlands, PHONE: +3115-2787224, ROOM: 05.140.
Hi,
I think I sorted it out : I also had to add a service section to dovecot.conf and I had to change the old "imap-login" settings in /etc./hosts.allow to be simply "imap" now.
service tcpwrap {
unix_listener login/tcpwrap {
group = $default_login_user
mode = 0600
user = $default_login_user
}
}
After this it seems to work fine !
Timo : maybe this could be documented a little better ? It took me quite a while now to figure it all out.
About the "not running from inetd" problem : would it be enough to copy the modules to the chrooted directory to avoid this connect(imap-login) problem ?
regards, Kees Lemmens.
On Wednesday, July 27, 2011, Kees Lemmens wrote:
-- With best regards, Kees Lemmens.
Email : lemmens<underscore>kees<at>yahoo<dot>co<dot>uk
NOTICE : to minimize spam I'll trash HTML based email immediately ... BTW : Ceterum Censeo Microsoftem esse Delendam
On Wed, 2011-07-27 at 15:39 +0200, Kees Lemmens wrote:
Yeah, I've just been too busy.. I added it now to http://wiki2.dovecot.org/LoginProcess
I've removed all the code necessary for running from inetd. It was horribly ugly code and I never liked it. There's not going to be any easy way to add it back.
participants (3)
-
Kees Lemmens
-
Kees Lemmens
-
Timo Sirainen