[Dovecot] Cannot get the libwrap patch work
Tahir riaz
tahir.riaz at comsats.net.pk
Sat Nov 8 10:00:20 EET 2008
Hello,
Again the same issue. The patch is not working again. There are no
signs of tcpd.h in config.log. Do I have to make changes in configure script
also. I am not a pogrammer so I follwed the step by step instructions on
editing the described file. Are some other steps required ?
configure is used with following parameters ./configure
--prefix=/userdata/usr/local/dovecot-1.1.6 --with-libwrap --with-zlib
--with-storages=maildir,mbox,raw
Thankyou
Tahir Riaz
Assistant Director (Systems)
COMSATS Internet Services
COMSATS Headquarters Building
9, Shahrah-e-Jamhuriat, G-5/2
Islamabad.
-----Original Message-----
From: dovecot-bounces+tahir.riaz=comsats.net.pk at dovecot.org
[mailto:dovecot-bounces+tahir.riaz=comsats.net.pk at dovecot.org] On Behalf Of
dovecot-request at dovecot.org
Sent: Friday, November 07, 2008 4:48 PM
To: dovecot at dovecot.org
Subject: dovecot Digest, Vol 67, Issue 19
Send dovecot mailing list submissions to
dovecot at dovecot.org
To subscribe or unsubscribe via the World Wide Web, visit
http://dovecot.org/cgi-bin/mailman/listinfo/dovecot
or, via email, send a message with subject or body 'help' to
dovecot-request at dovecot.org
You can reach the person managing the list at
dovecot-owner at dovecot.org
When replying, please edit your Subject line so it is more specific than
"Re: Contents of dovecot digest..."
Today's Topics:
1. Re: Cannot get the libwrap patch work (Edgar Fu?)
2. libwrap patch for 1.1.6 (Edgar Fu?)
3. Re: Cannot get the libwrap patch work (Edgar Fu?)
4. Problem witch dovecot-auth (Grzegorz Zalewski)
5. Problem witch dovecot-auth continue (Grzegorz Zalewski)
6. limit logins by time (Andre H?bner)
7. Re: limit logins by time (Timo Sirainen)
8. Re: limit logins by time (Andre H?bner)
9. Re: limit logins by time (Timo Sirainen)
----------------------------------------------------------------------
Message: 1
Date: Fri, 7 Nov 2008 12:01:43 +0100
From: Edgar Fu? <ef at math.uni-bonn.de>
Subject: Re: [Dovecot] Cannot get the libwrap patch work
To: Dovecot Mailing List <dovecot at dovecot.org>
Message-ID: <20081107110142.GA304 at orion.math.uni-bonn.de>
Content-Type: text/plain; charset=us-ascii
> "Error: login_tcp_wrappers can't be used because Dovecot wasn't built with
libwrap"
What does the configure script tell you about "tcpd.h usability" and "tcpd.h
presence"? What does config.log say about them?
------------------------------
Message: 2
Date: Fri, 7 Nov 2008 12:05:26 +0100
From: Edgar Fu? <ef at math.uni-bonn.de>
Subject: [Dovecot] libwrap patch for 1.1.6
To: Dovecot Mailing List <dovecot at dovecot.org>
Message-ID: <20081107110526.GB304 at orion.math.uni-bonn.de>
Content-Type: text/plain; charset="us-ascii"
Btw, I've updated the patch for 1.1.6, see attached file.
-------------- next part --------------
--- configure.in.orig 2008-06-22 13:02:27.000000000 +0200
+++ configure.in 2008-07-23 15:05:00.000000000 +0200
@@ -61,6 +61,15 @@
notify=$withval,
notify=)
+AC_ARG_WITH(libwrap,
+[ --with-libwrap Build with libwrap, ie. TCP-wrappers (default)],
+ if test x$withval = xno; then
+ want_libwrap=no
+ else
+ want_libwrap=yes
+ fi,
+ want_libwrap=yes)
+
AC_ARG_WITH(linux-quota,
[ --with-linux-quota=n Linux quota version to use (default: system's)],
AC_DEFINE_UNQUOTED(_LINUX_QUOTA_VERSION, $withval, @@ -1554,6
+1563,30 @@ fi
dnl **
+dnl ** TCP wrappers
+dnl **
+
+if test "$want_libwrap" = "yes"; then
+ AC_CHECK_HEADER(tcpd.h, [
+ old_LIBS=$LIBS
+ LIBS="$LIBS -lwrap"
+ AC_TRY_LINK([
+ #include <tcpd.h>
+ int allow_severity;
+ int deny_severity;
+ struct request_info request;
+ ], [
+ request_init(&request, 0);
+ ], [
+ AC_DEFINE(HAVE_LIBWRAP,, Define if you have libwrap)
+ LIBWRAP_LIBS=-lwrap
+ AC_SUBST(LIBWRAP_LIBS)
+ ])
+ LIBS=$old_LIBS
+ ])
+fi
+
+dnl **
dnl ** userdb and passdb checks
dnl **
--- dovecot-example.conf.orig 2008-07-07 18:57:31.000000000 +0200
+++ dovecot-example.conf 2008-07-07 18:57:31.000000000 +0200
@@ -171,6 +171,11 @@
# Greeting message for clients.
#login_greeting = Dovecot ready.
+# Use TCP wrappers for incoming connection access checks. This requires
+that # Dovecot was compiled with libwrap. Note that this setting
+requires # login_process_per_connection=yes.
+#login_tcp_wrappers = no
+
# Space-separated list of elements we want to log. The elements which have
# a non-empty variable value are joined together to form a comma-separated
# string.
--- src/imap-login/Makefile.am.orig 2008-06-12 08:45:10.000000000 +0200
+++ src/imap-login/Makefile.am 2008-07-07 18:57:31.000000000 +0200
@@ -13,7 +13,8 @@
../lib-imap/libimap.a \
../lib-auth/libauth.a \
../lib/liblib.a \
- $(SSL_LIBS)
+ $(SSL_LIBS) \
+ $(LIBWRAP_LIBS)
imap_login_SOURCES = \
client.c \
--- src/login-common/main.c.orig 2008-10-26 16:03:45.000000000 +0100
+++ src/login-common/main.c 2008-11-06 13:54:01.000000000 +0100
@@ -19,8 +19,16 @@
#include <unistd.h>
#include <syslog.h>
+#ifdef HAVE_LIBWRAP
+# include <tcpd.h>
+# include <syslog.h>
+int allow_severity = LOG_INFO;
+int deny_severity = LOG_WARNING;
+# include "str.h"
+#endif
+
bool disable_plaintext_auth, process_per_connection, greeting_capability;
-bool verbose_proctitle, verbose_ssl, verbose_auth, auth_debug;
+bool verbose_proctitle, verbose_ssl, verbose_auth, auth_debug,
+tcp_wrappers;
bool ssl_require_client_cert;
const char *greeting, *log_format;
const char *const *log_format_elements; @@ -75,6 +83,45 @@
io_loop_stop(ioloop);
}
+static void access_check(int fd, const struct ip_addr *ip, bool ssl) {
+#ifdef HAVE_LIBWRAP
+ struct request_info req;
+ char *daemon;
+ string_t *process_name_ssl;
+
+ if (!tcp_wrappers)
+ return;
+ if (!process_per_connection)
+ i_fatal("Tried to use TCP wrapers with
process_per_connection=no");
+
+ if (ssl) {
+ process_name_ssl = t_str_new(20);
+ str_append(process_name_ssl, process_name);
+ str_append(process_name_ssl, "-ssl");
+ daemon = str_c(process_name_ssl);
+ } else {
+ daemon = process_name;
+ }
+ request_init(&req,
+ RQ_FILE, fd,
+ RQ_CLIENT_ADDR, net_ip2addr(ip),
+ RQ_DAEMON, daemon,
+ 0);
+ fromhost(&req);
+
+ if (!hosts_access(&req)) {
+ i_error("Connection refused by tcp-wrappers: %s",
+ net_ip2addr(ip));
+ refuse(&req);
+ i_unreached();
+ }
+ if (ssl) {
+ str_free(&process_name_ssl);
+ }
+#endif
+}
+
static void login_accept(void *context) {
int listen_fd = POINTER_CAST_TO(context, int); @@ -89,6 +136,7 @@
i_error("accept() failed: %m");
return;
}
+ access_check(fd, &remote_ip, FALSE);
if (net_getsockname(fd, &local_ip, &local_port) < 0) {
memset(&local_ip, 0, sizeof(local_ip)); @@ -120,6 +168,7 @@
i_error("accept() failed: %m");
return;
}
+ access_check(fd, &remote_ip, TRUE);
if (net_getsockname(fd, &local_ip, &local_port) < 0) {
memset(&local_ip, 0, sizeof(local_ip)); @@ -319,6 +368,7 @@
verbose_auth = getenv("VERBOSE_AUTH") != NULL;
auth_debug = getenv("AUTH_DEBUG") != NULL;
ssl_require_client_cert = getenv("SSL_REQUIRE_CLIENT_CERT") != NULL;
+ tcp_wrappers = getenv("TCP_WRAPPERS") != NULL;
greeting = getenv("GREETING");
if (greeting == NULL)
@@ -419,11 +469,12 @@
restrict_access_by_env() is called */
lib_init();
+ process_name = strrchr(argv[0], '/');
+ process_name = process_name == NULL ? argv[0] : process_name+1;
+
if (is_inetd) {
/* running from inetd. create master process before
dropping privileges. */
- process_name = strrchr(argv[0], '/');
- process_name = process_name == NULL ? argv[0] :
process_name+1;
group_name = t_strcut(process_name, '-');
for (i = 1; i < argc; i++) {
--- src/master/login-process.c.orig 2008-06-12 23:38:01.000000000 +0200
+++ src/master/login-process.c 2008-07-07 19:51:45.000000000 +0200
@@ -573,6 +573,8 @@
env_put(t_strconcat("LOG_FORMAT=", set->login_log_format, NULL));
if (set->login_greeting_capability)
env_put("GREETING_CAPABILITY=1");
+ if (set->login_tcp_wrappers)
+ env_put("TCP_WRAPPERS=1");
if (group->mail_process_type == PROCESS_TYPE_IMAP) {
env_put(t_strconcat("CAPABILITY_STRING=",
--- src/master/master-settings.c.orig 2008-06-21 15:09:16.000000000 +0200
+++ src/master/master-settings.c 2008-07-07 20:28:37.000000000 +0200
@@ -208,6 +208,7 @@
MEMBER(login_process_per_connection) TRUE,
MEMBER(login_chroot) TRUE,
MEMBER(login_greeting_capability) FALSE,
+ MEMBER(login_tcp_wrappers) FALSE,
MEMBER(login_process_size) 64,
MEMBER(login_processes_count) 3,
@@ -479,6 +480,7 @@
fix_base_path(auth->parent->defaults, &s->master.path);
fix_base_path(auth->parent->defaults, &s->client.path);
}
+
return TRUE;
}
@@ -861,6 +863,20 @@
return FALSE;
}
#endif
+
+ if (!set->login_process_per_connection && set->login_tcp_wrappers) {
+ i_error("login_process_per_connection=no can't be used with
"
+ "login_tcp_wrappers=yes");
+ return FALSE;
+ }
+#ifndef HAVE_LIBWRAP
+ if (set->login_tcp_wrappers) {
+ i_error("login_tcp_wrappers can't be used because "
+ "Dovecot wasn't built with libwrap");
+ return FALSE;
+ }
+#endif
+
return TRUE;
}
--- src/master/master-settings-defs.c.orig 2008-07-07
20:06:11.000000000 +0200
+++ src/master/master-settings-defs.c 2008-07-07 19:55:08.000000000 +0200
@@ -46,6 +46,7 @@
DEF_BOOL(login_process_per_connection),
DEF_BOOL(login_chroot),
DEF_BOOL(login_greeting_capability),
+ DEF_BOOL(login_tcp_wrappers),
DEF_INT(login_process_size),
DEF_INT(login_processes_count),
--- src/master/master-settings.h.orig 2008-06-12 08:45:10.000000000 +0200
+++ src/master/master-settings.h 2008-07-07 18:57:31.000000000 +0200
@@ -60,6 +60,7 @@
bool login_process_per_connection;
bool login_chroot;
bool login_greeting_capability;
+ bool login_tcp_wrappers;
unsigned int login_process_size;
unsigned int login_processes_count;
--- src/pop3-login/Makefile.am.orig 2008-06-12 08:45:10.000000000 +0200
+++ src/pop3-login/Makefile.am 2008-07-07 18:57:31.000000000 +0200
@@ -11,7 +11,8 @@
../login-common/liblogin-common.a \
../lib-auth/libauth.a \
../lib/liblib.a \
- $(SSL_LIBS)
+ $(SSL_LIBS) \
+ $(LIBWRAP_LIBS)
pop3_login_SOURCES = \
client.c \
------------------------------
Message: 3
Date: Fri, 7 Nov 2008 12:06:28 +0100
From: Edgar Fu? <ef at math.uni-bonn.de>
Subject: Re: [Dovecot] Cannot get the libwrap patch work
To: Dovecot Mailing List <dovecot at dovecot.org>
Message-ID: <20081107110628.GC304 at orion.math.uni-bonn.de>
Content-Type: text/plain; charset=us-ascii
> After compiling and running it
Just to make sure: You did run autoconf/automake/autoheader before
configuring?
------------------------------
Message: 4
Date: Fri, 7 Nov 2008 10:03:12 +0100
From: "Grzegorz Zalewski" <zalewski_grzegorz at passat.com.pl>
Subject: [Dovecot] Problem witch dovecot-auth
To: <dovecot at dovecot.org>
Message-ID: <EBEBB133D30542E79650168B757DB3AA at zapasduo>
Content-Type: text/plain; format=flowed; charset="iso-8859-2";
reply-type=original
Hello i`m post in this mailing list first time.
I`ve debian Etch witch dovecot version 1.2.alpha3 from:
deb http://xi.rename-it.nl/debian/ experimental-auto main
I`m installing this version dovecot becouse this version solved my problem
witch imap problem.
It`s working but once or twice times for a day i have error in log:
--------
dovecot: 2008-11-06 22:11:59 Error: auth(default): Raw backtrace:
dovecot-auth [0x8075761] -> dovecot-auth [0x80757e2] -> dovecot-auth
[0x8075179] -> dovecot-auth [0x805c478] ->
dovecot-auth(io_loop_handle_timeouts+0xe9) [0x8078629] ->
dovecot-auth(io_loop_handler_run+0x82) [0x8078eb2] ->
dovecot-auth(io_loop_run+0x20) [0x80783d0] -> dovecot-auth(main+0x28c)
[0x805e07c] -> /lib/i686/cmov/libc.so.6(__libc_start_main+0xe5)
[0xb7a7b455] -> dovecot-auth [0x8053cd1]dovecot: 2008-11-06 22:11:59 Error:
child 28945 (auth) killed with signal 6
--------
my dovecot configuration is:
--------
# 1.2.alpha3: /etc/dovecot/dovecot.conf# OS: Linux 2.6.18-6-686 i686 Debian
4.0log_path: /var/log/dovecot.loglog_timestamp: %Y-%m-%d %H:%M:%Sprotocols:
imap imaps pop3 pop3sssl_listen(default): my_ip:993ssl_listen(imap):
my_ip:993ssl_listen(pop3): my_ip:995ssl_cert_file:
/etc/dovecot/ssl/dovecot.pemssl_key_file:
/etc/dovecot/ssl/dovecot.pemverbose_ssl: yeslogin_dir:
/var/run/dovecot/loginlogin_executable(default):
/usr/lib/dovecot/imap-loginlogin_executable(imap):
/usr/lib/dovecot/imap-loginlogin_executable(pop3):
/usr/lib/dovecot/pop3-loginlogin_greeting: POP readyverbose_proctitle:
yesmail_access_groups: postfixmail_location:
maildir:~/Maildirmail_executable(default):
/usr/lib/dovecot/imapmail_executable(imap):
/usr/lib/dovecot/imapmail_executable(pop3):
/usr/lib/dovecot/pop3mail_plugin_dir(default):
/usr/lib/dovecot/modules/imapmail_plugin_dir(imap):
/usr/lib/dovecot/modules/imapmail_plugin_dir(pop3):
/usr/lib/dovecot/modules/pop3imap_client_workarounds:
outlook-idlepop3_client_workarounds: outlook-no-nulsauth default: verbose:
yes debug: yes passdb: driver: pam userdb: driver: passwd
--------
Have anyone any idea what is wrong ??
------------------------------
Message: 5
Date: Fri, 7 Nov 2008 11:17:36 +0100
From: "Grzegorz Zalewski" <zalewski_grzegorz at passat.com.pl>
Subject: [Dovecot] Problem witch dovecot-auth continue
To: <dovecot at dovecot.org>
Message-ID: <1E3598730CBB4517A61A82FFD912F170 at zapasduo>
Content-Type: text/plain; format=flowed; charset="iso-8859-2";
reply-type=original
I`m forgot paste rest of the log:
dovecot: 2008-11-07 10:16:44 Panic: auth(default): file
auth-worker-server.c: line 54 (auth_worker_idle_timeout): assertion failed:
(array_count(&conn->requests) == 0)
------------------------------
Message: 6
Date: Fri, 7 Nov 2008 12:21:06 +0100
From: Andre H?bner <andre.huebner at gmx.de>
Subject: [Dovecot] limit logins by time
To: "Dovecot Mailing List" <dovecot at dovecot.org>
Message-ID: <6369625A000E47B0BAD806CA4978CAD6 at nmm.local>
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
reply-type=original
Hello,
i want to limit the count of pop3 logins for users by time. Whats the
correct way to do this?
I searched the webpage and conf parameters but did not find a fitting
solution.
Please give me litte hint.
Thanks,
Andre
------------------------------
Message: 7
Date: Fri, 7 Nov 2008 13:34:06 +0200
From: Timo Sirainen <tss at iki.fi>
Subject: Re: [Dovecot] limit logins by time
To: Andre H?bner <andre.huebner at gmx.de>
Cc: Dovecot Mailing List <dovecot at dovecot.org>
Message-ID: <E69491A7-C62D-4687-94D2-C4E18E19B24D at iki.fi>
Content-Type: text/plain; charset="iso-8859-1"
On Nov 7, 2008, at 1:21 PM, Andre H?bner wrote:
> i want to limit the count of pop3 logins for users by time. Whats
> the correct way to do this?
> I searched the webpage and conf parameters but did not find a
> fitting solution.
You mean something like "one login per 5 minutes"? Why do you want it?
There's no existing way to do it, but you could probably do it with
http://wiki.dovecot.org/PostLoginScripting
.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url :
http://dovecot.org/pipermail/dovecot/attachments/20081107/5ed0fd2d/attachmen
t-0001.bin
------------------------------
Message: 8
Date: Fri, 7 Nov 2008 12:43:03 +0100
From: Andre H?bner <andre.huebner at gmx.de>
Subject: Re: [Dovecot] limit logins by time
To: "Dovecot Mailing List" <dovecot at dovecot.org>
Cc: Timo Sirainen <tss at iki.fi>
Message-ID: <374C4EDA21FC4D7A815B9EF137E68E69 at nmm.local>
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
reply-type=original
>You mean something like "one login per 5 minutes"? Why do you want it?
yes, this is exactly what i want.
have a user who seems to go crazy, lots of logins with differnet usernames
within seconds. i could limit him by iptables, but this has only effect for
short time...
> There's no existing way to do it, but you could probably do it with
> http://wiki.dovecot.org/PostLoginScripting
.
ok, will try it
Thanks,
Andre
------------------------------
Message: 9
Date: Fri, 7 Nov 2008 13:47:56 +0200
From: Timo Sirainen <tss at iki.fi>
Subject: Re: [Dovecot] limit logins by time
To: Andre H?bner <andre.huebner at gmx.de>
Cc: Dovecot Mailing List <dovecot at dovecot.org>
Message-ID: <C7E1C8F5-AE57-406E-BDC4-1E93E74B3CBD at iki.fi>
Content-Type: text/plain; charset="iso-8859-1"
On Nov 7, 2008, at 1:43 PM, Andre H?bner wrote:
>> You mean something like "one login per 5 minutes"? Why do you want
>> it?
> yes, this is exactly what i want.
> have a user who seems to go crazy, lots of logins with differnet
> usernames within seconds. i could limit him by iptables, but this
> has only effect for short time...
They're successful logins?
>> There's no existing way to do it, but you could probably do it with
http://wiki.dovecot.org/PostLoginScripting
> .
> ok, will try it
Perhaps just make it do a "sleep 30" or something if the previous
login was too close.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url :
http://dovecot.org/pipermail/dovecot/attachments/20081107/7624863f/attachmen
t.bin
------------------------------
_______________________________________________
dovecot mailing list
dovecot at dovecot.org
http://dovecot.org/cgi-bin/mailman/listinfo/dovecot
End of dovecot Digest, Vol 67, Issue 19
***************************************
More information about the dovecot
mailing list