Bug 150624 - Dovecot does not honor tcp_wrappers
Summary: Dovecot does not honor tcp_wrappers
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: dovecot (Show other bugs)
(Show other bugs)
Version: 4.0
Hardware: All Linux
Target Milestone: ---
: ---
Assignee: John Dennis
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2005-03-08 22:50 UTC by Milan Kerslager
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-07-26 15:21:46 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Milan Kerslager 2005-03-08 22:50:19 UTC
As all network service in RH and RHEL are historically linked against
tcp_wrappers, Dovecot should be too.

Comment 2 Chuck Mead 2005-03-10 20:25:12 UTC
The problem mentioned here is, IMHO, an oversight, not a feature
request. Our dovecot implementation functions as a stand alone
daemon so it is not under xinetd's control and will not obey
tcp_wrappers restrictions implemented via xinetd and since it is not
linked with libwrap it will not obey tcp_wrappers restrictions on its
own. All that's left is iptables if you want to implement any form of
network access restrictions for pop3 and imap with dovecot.

This reminds me very, very much of the vsftpd bug from a few releases

Our pop3/imap services have *ALWAYS* obeyed tcp_wrappers restrictions
in the past. This is a reduction in functionality between rhel3 and 4
and most definitely is *NOT* an improvement.

Comment 4 Milan Kerslager 2005-03-10 20:55:36 UTC
I did not request to run dovecot via xinetd. I requested to link
dovecot against tcp_wrapper's library to honor /etc/hosts.{deny,allow}
This is easy to check every incoming connection with this library and
much more simple than using iptables.

Comment 5 John Dennis 2005-07-26 15:21:46 UTC
Using the firewall (iptables) is the preferred method to control external
access. If you need some of the other access control offered by tcp_wrappers you
can run dovecot under xinetd, see the link below for instructions on how to run
dovecot under xinetd.


Another alternative to tcp_wrappers is to take advantage of dovecots security
and authentication mechanisms that are already built into dovecot (e.g. only
authenticated users can connect to the server). You also have the option of
using pam to fine tune access control once authentication is turned on.

It's not just a matter of linking against the tcp wrappers library, the source
code has to be modified in a number of places, dovecot does not come with
tcp_wrapper support in the source code. I've checked, and we do not have a
policy of tcp_wrapper support for services, there exists several alternative
solutions, closing won't fix.

Note You need to log in before you can comment on or make changes to this bug.