[Dovecot] Configuring dovecot to use tcp wrappers

Max Pyziur pyz at brama.com
Thu Apr 11 21:04:07 EEST 2013


On Thu, 11 Apr 2013, lists-dovecot wrote:

>
>

[... snip ...]
>>
>> I've put in a test ip address in /etc/hosts.deny like so:
>> dovecot: 166.84.1.2
>>
>> And then I execute the following from 166.84.1.2 to port 110:
>> bash-3.2$ telnet SiteWhereImConfiguringDovecot 110
>> Trying SiteWhereImConfiguringDovecot...
>> Connected to SiteWhereImConfiguringDovecot.
>> Escape character is '^]'.
>> +OK Dovecot ready.
>> quit
>> +OK Logging out
>> Connection closed by foreign host.
>>
>> If dovecot is configured with tcp wrappers (which it is; built on
>> a CentOS 6 system, installed and configured per instructions),
>> and the firewall has ports 110 and 143 open,
>> but I'm blocking a particular host through /etc/hosts.deny
>> then I should not be able to telnet to either port 110 or 143; both
>> requests should be blocked from the originating IP, no?
>>
>> Much thanks for your help,
>>
>> Max Pyziur
>> pyz at brama.com
>
>
> What are you using as the service name in hosts.deny? I think it
> should be "imap-login:", (that's what I have as an
> historical/left-over entry) but don't have dovecot configured with
> wrappers on my current centos system so can't test this to be
> certain. Also make certain that you don't have anything in your
> hosts.allow file that would override the hosts.deny entry.

I was using dovecot, until you convinced me to do otherwise.

Putting pop3 in /etc/hosts.deny with the associated ip seems to work, like 
so:
pop3: 166.84.1.2

or imap
imap: 166.84.1.2

(are there any challenges to this?)

Given that services such sendmail and sshd respond to
sshd: xxx.xxx.xxx.xxx
sendmail: xxx.xxx.xxx.xxx

I thought that it should be dovecot: xxx.xxx.xxx.xxx


As a suggestion, can dovecot binaries for distributions such as CentOS and 
Fedora be compiled with tcp wrappers by default?


>   - Richard

Much thanks.

MP
pyz at brama.com


More information about the dovecot mailing list