blacklistd support for dovecot

Kurt Lidl lidl at pix.net
Thu Sep 20 00:48:11 EEST 2018


Greetings all!

I ported the NetBSD blacklistd support into FreeBSD a while ago (FreeBSD 
11.x timeframe).  I also added support to several of the system daemons 
there, so they could all talk to a centralized daemon (blacklistd).

One of the third party apps that I added support to was sendmail - that
works pretty well.

So I'm now finally turning my attention adding blacklistd support to 
dovecot (which is the imap daemon that I use).

I did an implementation to an earlier version, and that worked OK, at
least for non-encrypted access to the imap server.  However, the 
encrypted access (TLS) doesn't work right.

To authenticate a network connection, the daemon must pass the fd of the 
remote connection over a unix domain socket to the actual blacklistd 
daemon.  The blacklistd daemon will then call getpeername() on the 
connection, so it can determine the remote connection endpoint, rather 
than just having to believe some made-up set of data that is passed to 
it from process on the local machine.

Christos Zoulas' talk on blacklistd is here:
    https://www.youtube.com/watch?v=fuuf8G28mjs

Anyhow -- the problem I've run into is that there doesn't seem to be any 
way to get access to the fd of the socket that holds the raw connection 
to the client when TLS encryption is active.  It looks like the only 
connection I get is to the proxy process.

Is there any guidance that someone can give with how to implement this?

Thank you.

-Kurt


More information about the dovecot mailing list