Cyrus and TCP Wrapper info needed.

Chris Picton chrisp at tangent.co.za
Tue Jun 17 11:08:07 EDT 2003


On Tue, 2003-06-17 at 16:43, Mark London wrote:
> Hi - A couple of weeks ago people suggested that I could use TCP Wrapper to
> restrict access to the IMAP port.   I'm confused, because I'm running xinetd,
> which normally does not use libwrap, and instructions on using the TCP Wrapper
> all talk about using inetd.   I see mention that xinetd can be compiled with
> libwrap support, but I want to avoid doing that if I can.  And I assume I need
> to either configure xinetd or inetd to get TCP Wrapper to work, or am I wrong?  
> I.e. I just can't compile cyrus with libwrap (which I've done) and set up
> entries I hosts.allow and hosts.deny, right?
If you are using cyrus with xinetd, you can, in the
/etc/xinetd.d/cyrus-imapd (or equivalent file), use the 'only_from'
directive.  

Check man xinetd.conf for details on how to use it.


> 
> Some people suggested I use iptables to restrict access to the IMAP port. 
> While this might be the "simpler" approach, the documentation on iptables all
> seems to include examples on how to set up a firewall.  I can't find an
> example of just what I want to do, and since it looks like it would take days
> to read the documentation on iptables, the TCP Wrapper option seems simpler. 

To use the iptables approach, you would need the following rules (and
possibly put them in /etc/sysconfig/iptables, depending on the
distribution).  This would give you a fairly secure server, but a lot
more could be done.

# allow connections via loopback
iptables -A INPUT -i lo -j ACCEPT  

# Allow already established connections to talk back
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow icmp packets (you can block certain types of icmp if you want)
iptables -A INPUT -p icmp -j ACCEPT

# Allow connections to allowed tcp ports
iptables -A INPUT -p tcp -m multiport --dports 143,110,80 -j ACCEPT

# Allow ssh from secure IP
iptables -A INPUT -p tcp -m tcp --dport 22 -s 99.99.99.99 -j ACCEPT

# Log failed connection attempts
iptables -A INPUT -j LOG --log-prefix "Denied INPUT: "
# Drop all other connections
iptables -A INPUT -j DROP # or REJECT

Chris

-- 
---------------------+--------------------------------------------------
        Chris Picton | PGP Key ID: 9D28A988 (wwwkeys.pgp.net)
 Solutions Developer | PGP Key Fingerprint:
     Tangent Systems | 2B46 29EA D530 79EC D9EA 3ED0 229D 6DD6 9D28 A988
chrisp at tangent.co.za | http://www.tangent.co.za/keys/chrisp.asc
---------------------+--------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.andrew.cmu.edu/mailman/private/info-cyrus/attachments/20030617/668a5d27/attachment.bin


More information about the Info-cyrus mailing list