[Dovecot] Domain blacklisting

[Timo Sirainen]

On Wed, 2011-02-09 at 11:57 +0100, Thomas Hummel wrote:

> My understanding is that I cannot use some negative form of "allow_nets". The
> only mechanism I can think of is tcp_wrappers. However, dovecot documentation
> mention it only in the dovecot-1 section. Does it work the same way with dovecot-2 ?
> Is it a bad idea (I'm thinking of the induced overhead) ?
> Can you see another way to blacklist (at dovecot application level) some sources ?

If tcpwrappers supports it, then it should be pretty easy with v2.0, as
long as Dovecot was compiled with support for it:

login_access_sockets = tcpwrap

There is of course some extra overhead, mainly from doing a reverse DNS
lookup for all connections, but since that's what you want it can't be
avoided.. Or if you have some known good IP ranges, you can add e.g.:

remote 192.168.0.0/24 {
  login_access_sockets =
}