Re: Possible hack via doveadm
I use a tinc vpn mesh between the nodes. iptables only allows the nodes to talk to each on port 655, all else is dropped. Works well. I also have a setup using zerotier for the same thing - my ansible deployment playbook will use either one. DC. On 2023-05-14 11:29 am, Daniel Miller via dovecot wrote: > I only allow explicit service traffic through. IMAPS, SMTPS, etc. If doveadm > is communicating via the IMAP(S) ports then all I can do via firewall is > block countries. Which of course I can but I'm asking about any additional > hardening for Dovecot itself. > > -- > Daniel > > On May 13, 2023 6:25:06 PM jeremy ardley via dovecot > wrote: > > On 14/5/23 09:14, Daniel L. Miller via dovecot wrote: > > May 12 15:45:58 cloud1 dovecot: doveadm(194.165.16.78): Error: doveadm > client not compatible with this server (mixed old and new binaries?) > May 13 03:44:31 cloud1 dovecot: doveadm(45.227.254.48): Error: doveadm > client not compatible with this server (mixed old and new binaries?) > > Since I don't recognize those IPs, the first is out of Panama and the > other is Belize, I assume these are hostile attackers trying to > exploit something. How can I defend against this? > > Set up a firewall rule that only allows access from an IP range you > control. For any other source, simply drop the connection. > > You can get really fancy and use port forwarding using ssh to connect > from remote but appear as localhost to the server. This access can be > configured in dovecot as well as firewall > > Jeremy > ___ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re[2]: Possible hack via doveadm
Thank you Jeremy and Bernardo.
Adding cert verification is something I'll have to delve into. Also
possibly pushing the replication through the VPN.
It's been a while since I last setup my replication pair - everything's
been working smoothly so I've forgotten some of the key items.
Particularly the need to open an explicit port for the doveadm
connection - which of course I do have on a non-standard port and up
till now it hasn't been an issue. I was fighting multiple config issues
at the time - including network setup - so I left the communication
purely through the external IP's instead of being VPN dependent. I may
change that.
Fail2ban and other guards have blocked most port scanning and other junk
- this was the first time I saw such log lines in my mail log and it
scared me. Now I know what to look for and what it means. Thanks again.
--
Daniel
-- Original Message --
From "jeremy ardley via dovecot"
To dovecot@dovecot.org
Date 5/14/2023 4:03:28 PM
Subject Re: Possible hack via doveadm
On 14/5/23 23:29, Daniel Miller via dovecot wrote:
I only allow explicit service traffic through. IMAPS, SMTPS, etc. If
doveadm is communicating via the IMAP(S) ports then all I can do via
firewall is block countries. Which of course I can but I'm asking
about any additional hardening for Dovecot itself.
You can set up a doveadm service that requires client certificates
service doveadm {
inet_listener {
port = 12345
}
ssl = yes
ssl_cert = ___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Possible hack via doveadm
On 14/5/23 23:29, Daniel Miller via dovecot wrote:
I only allow explicit service traffic through. IMAPS, SMTPS, etc. If
doveadm is communicating via the IMAP(S) ports then all I can do via
firewall is block countries. Which of course I can but I'm asking
about any additional hardening for Dovecot itself.
You can set up a doveadm service that requires client certificates
service doveadm {
inet_listener {
port = 12345
}
ssl = yes
ssl_cert = ___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Possible hack via doveadm
On Sun, 14 May 2023, Daniel Miller via dovecot wrote:
I only allow explicit service traffic through. IMAPS, SMTPS, etc. If doveadm
is communicating via the IMAP(S) ports then all I can do via firewall is
block countries. Which of course I can but I'm asking about any additional
hardening for Dovecot itself.
Maybe you want to show your configuration, and in particular the
dsync_remote_cmd and the service doveadm { } part (where you define the
listening port).
Normally (AFAIK anyway) the used port (12345 in the example in
https://wiki.dovecot.org/Replication) is *not* the IMAP(S) port, so you must
have set it to something.
For replication I'd recommend using a VPN, so that the dovecot instances
communicate over the tunnel, and thus immune to anything from the outside world.
Cheers.
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Possible hack via doveadm
I only allow explicit service traffic through. IMAPS, SMTPS, etc. If doveadm is communicating via the IMAP(S) ports then all I can do via firewall is block countries. Which of course I can but I'm asking about any additional hardening for Dovecot itself. -- Daniel On May 13, 2023 6:25:06 PM jeremy ardley via dovecot wrote: On 14/5/23 09:14, Daniel L. Miller via dovecot wrote: May 12 15:45:58 cloud1 dovecot: doveadm(194.165.16.78): Error: doveadm client not compatible with this server (mixed old and new binaries?) May 13 03:44:31 cloud1 dovecot: doveadm(45.227.254.48): Error: doveadm client not compatible with this server (mixed old and new binaries?) Since I don't recognize those IPs, the first is out of Panama and the other is Belize, I assume these are hostile attackers trying to exploit something. How can I defend against this? Set up a firewall rule that only allows access from an IP range you control. For any other source, simply drop the connection. You can get really fancy and use port forwarding using ssh to connect from remote but appear as localhost to the server. This access can be configured in dovecot as well as firewall Jeremy ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Possible hack via doveadm
On 14/5/23 09:14, Daniel L. Miller via dovecot wrote: May 12 15:45:58 cloud1 dovecot: doveadm(194.165.16.78): Error: doveadm client not compatible with this server (mixed old and new binaries?) May 13 03:44:31 cloud1 dovecot: doveadm(45.227.254.48): Error: doveadm client not compatible with this server (mixed old and new binaries?) Since I don't recognize those IPs, the first is out of Panama and the other is Belize, I assume these are hostile attackers trying to exploit something. How can I defend against this? Set up a firewall rule that only allows access from an IP range you control. For any other source, simply drop the connection. You can get really fancy and use port forwarding using ssh to connect from remote but appear as localhost to the server. This access can be configured in dovecot as well as firewall Jeremy ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Possible hack via doveadm
I currently have two servers running with synchronization that I've been very happy with. However, I'm seeing the following in my logs recently: May 12 15:45:58 cloud1 dovecot: doveadm(194.165.16.78): Error: doveadm client not compatible with this server (mixed old and new binaries?) May 13 03:44:31 cloud1 dovecot: doveadm(45.227.254.48): Error: doveadm client not compatible with this server (mixed old and new binaries?) Since I don't recognize those IPs, the first is out of Panama and the other is Belize, I assume these are hostile attackers trying to exploit something. How can I defend against this? -- Daniel ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
