[Dovecot] libwrap-ing IMAP and POP logins

Edgar Fuß ef at math.uni-bonn.de
Wed Nov 14 11:29:37 EET 2007 

Since I've been using this for maybe a year now, maybe someone else is interested in restricting IMAP and POP logins via libwrap.

In addition to the attached patch (against 1.0.5) to src/login-common/main.c, src/{imap,pop3}-login/Makefile.in have to be modified to link against libwrap.
Of course, the option needs to be integrated into configure in the long run.
-------------- next part --------------
--- src/login-common/main.c.orig	2007-05-19 13:14:04.000000000 +0200
+++ src/login-common/main.c	2007-11-13 11:53:37.000000000 +0100
@@ -1,5 +1,7 @@
 /* Copyright (C) 2002 Timo Sirainen */
 
+#define LIBWRAP
+
 #include "common.h"
 #include "ioloop.h"
 #include "lib-signals.h"
@@ -18,6 +20,11 @@
 #include <unistd.h>
 #include <syslog.h>
 
+#ifdef LIBWRAP
+#include <tcpd.h>
+int allow_severity =0, deny_severity = 0;
+#endif
+
 bool disable_plaintext_auth, process_per_connection, greeting_capability;
 bool verbose_proctitle, verbose_ssl, verbose_auth;
 const char *greeting, *log_format;
@@ -69,6 +76,10 @@
 	unsigned int remote_port, local_port;
 	struct client *client;
 	int fd;
+#ifdef LIBWRAP
+	struct request_info req;
+	char daemon[13] = "dovecot-";
+#endif
 
 	fd = net_accept(LOGIN_LISTEN_FD, &remote_ip, &remote_port);
 	if (fd < 0) {
@@ -77,6 +88,17 @@
 		return;
 	}
 
+#ifdef LIBWRAP
+	strlcat(daemon, login_protocol, sizeof(daemon));
+	request_init(&req, RQ_DAEMON, daemon, RQ_FILE, fd, NULL);
+	fromhost(&req);
+	if (!hosts_access(&req)) {
+		i_info("libwrap: access denied");
+		net_disconnect(fd);
+		return;
+	}
+#endif
+
 	if (net_getsockname(fd, &local_ip, &local_port) < 0) {
 		memset(&local_ip, 0, sizeof(local_ip));
 		local_port = 0;
@@ -99,6 +121,10 @@
 	struct client *client;
 	struct ssl_proxy *proxy;
 	int fd, fd_ssl;
+#ifdef LIBWRAP
+	struct request_info req;
+	char daemon[17] = "dovecot-";
+#endif
 
 	fd = net_accept(LOGIN_SSL_LISTEN_FD, &remote_ip, &remote_port);
 	if (fd < 0) {
@@ -107,6 +133,18 @@
 		return;
 	}
 
+#ifdef LIBWRAP
+	strlcat(daemon, login_protocol, sizeof(daemon));
+	strlcat(daemon, "-ssl", sizeof(daemon));
+	request_init(&req, RQ_DAEMON, daemon, RQ_FILE, fd, NULL);
+	fromhost(&req);
+	if (!hosts_access(&req)) {
+		i_info("libwrap: access-ssl denied");
+		net_disconnect(fd);
+		return;
+	}
+#endif
+
 	if (net_getsockname(fd, &local_ip, &local_port) < 0) {
 		memset(&local_ip, 0, sizeof(local_ip));
 		local_port = 0;

More information about the dovecot mailing list