Bug 150624 - Dovecot does not honor tcp_wrappers
Dovecot does not honor tcp_wrappers
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: dovecot (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: John Dennis
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-08 17:50 EST by Milan Kerslager
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-26 11:21:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milan Kerslager 2005-03-08 17:50:19 EST
As all network service in RH and RHEL are historically linked against
tcp_wrappers, Dovecot should be too.
Comment 2 Chuck Mead 2005-03-10 15:25:12 EST
The problem mentioned here is, IMHO, an oversight, not a feature
request. Our dovecot implementation functions as a stand alone
daemon so it is not under xinetd's control and will not obey
tcp_wrappers restrictions implemented via xinetd and since it is not
linked with libwrap it will not obey tcp_wrappers restrictions on its
own. All that's left is iptables if you want to implement any form of
network access restrictions for pop3 and imap with dovecot.

This reminds me very, very much of the vsftpd bug from a few releases
back.

Our pop3/imap services have *ALWAYS* obeyed tcp_wrappers restrictions
in the past. This is a reduction in functionality between rhel3 and 4
and most definitely is *NOT* an improvement.
Comment 4 Milan Kerslager 2005-03-10 15:55:36 EST
I did not request to run dovecot via xinetd. I requested to link
dovecot against tcp_wrapper's library to honor /etc/hosts.{deny,allow}
settings.
This is easy to check every incoming connection with this library and
much more simple than using iptables.
Comment 5 John Dennis 2005-07-26 11:21:46 EDT
Using the firewall (iptables) is the preferred method to control external
access. If you need some of the other access control offered by tcp_wrappers you
can run dovecot under xinetd, see the link below for instructions on how to run
dovecot under xinetd.

http://wiki.dovecot.org/moin.cgi/InetdInstall?highlight=%28inetd%29

Another alternative to tcp_wrappers is to take advantage of dovecots security
and authentication mechanisms that are already built into dovecot (e.g. only
authenticated users can connect to the server). You also have the option of
using pam to fine tune access control once authentication is turned on.

It's not just a matter of linking against the tcp wrappers library, the source
code has to be modified in a number of places, dovecot does not come with
tcp_wrapper support in the source code. I've checked, and we do not have a
policy of tcp_wrapper support for services, there exists several alternative
solutions, closing won't fix.

Note You need to log in before you can comment on or make changes to this bug.