[Dovecot] Configuring dovecot to use tcp wrappers
Greetings,
I am looking to implement tcp wrappers with dovecot; I am using the following two links as guides to configuration: http://blog.acsystem.sk/linux/brute-force-attack-dovecot-imap-server-blockin... http://wiki2.dovecot.org/LoginProcess (you need to go to the very bottom)
I'm concerned in making the configuration correctly.
If you set login_access_sockets = tcpwrap in /etc/dovecot/dovecot.conf
Then everything accessing ports controlled by dovecot (and open by iptables) is blocked.
So my question relates to the second part of the configuration examples in the links above:
service tcpwrap { unix_listener login/tcpwrap { group = $default_login_user mode = 0600 user = $default_login_user } }
Where does this code get placed (in dovecot.conf or in one of the files in /etc/dovecot/conf.d)? And regarding $default_login_user, it appears in a comment line in /etc/dovecot/conf.d/10-master.conf
Should that line be uncommented?
Much thanks.
Max Pyziur pyz@brama.com
Report of dovecot -n: pyz@pangea ~> dovecot -n
2.1.1: /etc/dovecot/dovecot.conf
OS: Linux 2.6.32-358.2.1.el6.x86_64 x86_64 CentOS release 6.4 (Final)
disable_plaintext_auth = no mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } ssl = no ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem userdb { driver = passwd }
Much thanks for your reply.
However, once I make the changes to the configuration files, I get the following error when restarting dovecot: root@brama /etc/dovecot/conf.d> service dovecot restart Stopping Dovecot Imap: [ OK ] Starting Dovecot Imap: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf: service(tcpwrap): executable is empty [FAILED]
Any advice on how to proceed?
Thank you again,
Max Pyziur pyz@brama.com
On Sun, 7 Apr 2013, Max Pyziur wrote:
Yanking my own chain: http://vault.centos.org/6.4/updates/Source/SPackages/
After some delay, I'm returning to this project.
I've made the changes per above.
I've put in a test ip address in /etc/hosts.deny like so: dovecot: 166.84.1.2
And then I execute the following from 166.84.1.2 to port 110: bash-3.2$ telnet SiteWhereImConfiguringDovecot 110 Trying SiteWhereImConfiguringDovecot... Connected to SiteWhereImConfiguringDovecot. Escape character is '^]'. +OK Dovecot ready. quit +OK Logging out Connection closed by foreign host.
If dovecot is configured with tcp wrappers (which it is; built on a CentOS 6 system, installed and configured per instructions), and the firewall has ports 110 and 143 open, but I'm blocking a particular host through /etc/hosts.deny then I should not be able to telnet to either port 110 or 143; both requests should be blocked from the originating IP, no?
Much thanks for your help,
Max Pyziur pyz@brama.com
participants (2)
-
Max Pyziur
-
Timo Sirainen