blacklistd support for dovecot
Kurt Lidl
lidl at pix.net
Thu Sep 20 00:48:11 EEST 2018
Greetings all!
I ported the NetBSD blacklistd support into FreeBSD a while ago (FreeBSD
11.x timeframe). I also added support to several of the system daemons
there, so they could all talk to a centralized daemon (blacklistd).
One of the third party apps that I added support to was sendmail - that
works pretty well.
So I'm now finally turning my attention adding blacklistd support to
dovecot (which is the imap daemon that I use).
I did an implementation to an earlier version, and that worked OK, at
least for non-encrypted access to the imap server. However, the
encrypted access (TLS) doesn't work right.
To authenticate a network connection, the daemon must pass the fd of the
remote connection over a unix domain socket to the actual blacklistd
daemon. The blacklistd daemon will then call getpeername() on the
connection, so it can determine the remote connection endpoint, rather
than just having to believe some made-up set of data that is passed to
it from process on the local machine.
Christos Zoulas' talk on blacklistd is here:
https://www.youtube.com/watch?v=fuuf8G28mjs
Anyhow -- the problem I've run into is that there doesn't seem to be any
way to get access to the fd of the socket that holds the raw connection
to the client when TLS encryption is active. It looks like the only
connection I get is to the proxy process.
Is there any guidance that someone can give with how to implement this?
Thank you.
-Kurt
More information about the dovecot
mailing list