lmtp delivery to cyrus store over unix socket requires /etc/hosts.allow entry. why?

OpenMacNews openmacnews at gmail.com
Tue Oct 18 12:32:58 EDT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

hi all,

first -- i'd posted this 1st on exim-users, suspecting it may be an exim issue, but the thinking
is that it may well be a cyrus issue, or prehaps OSX ...


that said, i'm delivering to my cyrus-imap (CVS) store using an lmtp socket transport from exim
4.54:

cyrus_lmtp_unixsock:
    debug_print             = "EXIM-DEBUG [T:cyrus_lmtp_unixsock] for $local_part@$domain"
    driver                  = lmtp
    socket                  = /var/MailServer/Process/lmtp.socket
    envelope_to_add
    user                    = MY_USER


cyrus.conf is configured with:

    lmtpunix     cmd="lmtpd -a  -C /var/MailServer/Conf/imapd.conf"
listen="/var/MailServer/Process/lmtp.socket" prefork=2


on delivery attempt, my EXIM log shows a failed attempt, indicating that the LMTP connection is
closed:

	2005-10-17 20:35:14 -0700 IOJDYN-0000FT-OY == testuser at testdomain.com@testdomain.com
<testuser at testdomain.com> R=cyrus_localuser T=cyrus_lmtp_unixsock defer (-1): LMTP connection
closed after initial connection

and syslog shows:

	Oct 17 20:35:14 devbox CYRUS/lmtpunix[564]: refused connection from 0.0.0.0

after a bit of thrashing around, i find that if i add to /etc/hosts.allow

	lmtpunix : 0.0.0.0

delivery completes successfully!

now, cyrus IS config'd/built "--with-libwrap", so i can use tcpwrappers to secure my OTHER cyrus
services (imap, imaps, sieve, etc) which are running on TCPSockets ...

QUESTION:  why is a hosts.allow entry required in the 1st place for lmtpunix transport over a
UNIXsocket?

and, why "0.0.0.0" for localhost, rather than 127.0.0.1 or 'localhost' in hosts.allow?

the suggestion on exim-users (thx Tony!) is that:

    the code looks like it won't call tcpwrappers for Unix domain sockets.

    BUT, if the kernel 'lies' to it and returns the wrong kind of socket address from
getpeername() then Cyrus will do the wrong thing.


thanks for any/all clarification!

cheers,

richard


- --

/"\
\ /  ASCII Ribbon Campaign
 X   against HTML email, vCards
/ \  & micro$oft attachments

[GPG] OpenMacNews at gmail dot com
fingerprint: 780A 5C81 D446 C616 B113  AA3A 9BF4 3736 88A5 678E
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)

iEYEAREDAAYFAkNVI7oACgkQm/Q3NoilZ467uACffdE79XLZ4cyT6t+A8JAr10ih
eg4Anil6XuL6WkWqRn/JuLtVzlW//B/l
=LanL
-----END PGP SIGNATURE-----

More information about the Info-cyrus mailing list