Topic: Turn on POP3S in server manager and use AllowHosts [SOLVED]

[byte]

Just wanted to check (because I don't allow this on my server) but if I turn on allow POP3S for private and public in the server manager then I only want to allow one ip and block all I would be doing...

db configuration setprop pop3s AllowHosts x.x.x.x
signal-event email-update

Would that then allow only the "AllowHosts" ip number then block all outside ips

Don't know everything yet about the SME Server  

[mmccarn]

'telnet pop3s' before running '....AllowHosts...':

Code: [Select]

[root@sme ~]# telnet my.mail.svr pop3s
Trying 111.222.111.222...
Connected to my.mail.svr.
Escape character is '^]'.

'telnet pop3s' after running '...AllowHosts...':

Code: [Select]

[root@sme ~]# telnet my.mail.svr pop3s
Trying 111.222.111.222...
telnet: connect to address 111.222.111.222: Connection timed out

'iptables -L' before running '...AllowHosts...':

Code: [Select]

Chain InboundTCP_15310 (1 references)
target     prot opt source               destination
denylog    all  --  anywhere            !my.mail.svr
ACCEPT     tcp  --  anywhere             my.mail.svr tcp dpt:auth
ACCEPT     tcp  --  anywhere             my.mail.svr tcp dpt:smtp
ACCEPT     tcp  --  anywhere             my.mail.svr tcp dpt:https
ACCEPT     tcp  --  anywhere             my.mail.svr tcp dpt:smtps
ACCEPT     tcp  --  anywhere             my.mail.svr tcp dpt:http
ACCEPT     tcp  --  anywhere             my.mail.svr tcp dpt:imaps
ACCEPT     tcp  --  anywhere             my.mail.svr tcp dpt:pop3s

'iptables -L' after running '...AllowHosts 1.2.3.4':

Code: [Select]

Chain InboundTCP_15310 (1 references)
target     prot opt source               destination
denylog    all  --  anywhere            !my.mail.svr
ACCEPT     tcp  --  anywhere             my.mail.svr tcp dpt:auth
ACCEPT     tcp  --  anywhere             my.mail.svr tcp dpt:smtp
ACCEPT     tcp  --  anywhere             my.mail.svr tcp dpt:https
ACCEPT     tcp  --  anywhere             my.mail.svr tcp dpt:smtps
ACCEPT     tcp  --  anywhere             my.mail.svr tcp dpt:http
ACCEPT     tcp  --  anywhere             my.mail.svr tcp dpt:imaps
ACCEPT     tcp  --  1.2.3.4              my.mail.svr tcp dpt:pop3s

"AllowHosts" extract from /etc/e-smith/templates/etc/rc.d/init.d/masq/90InboundTCP10filter_tcp:

Code: [Select]

foreach my $filter ( sort {$a->prop('TCPPort') cmp $b->prop('TCPPort')}
...
my $allow_hosts = $props{AllowHosts} || '0.0.0.0/0';
...

It looks to me as though "AllowHosts" is set to '0.0.0.0/0' unless there is a specific "AllowHosts" entry for the service in question.

[byte]

It looks to me as though "AllowHosts" is set to '0.0.0.0/0' unless there is a specific "AllowHosts" entry for the service in question.

Thanks mmccarn, I've tried using "AllowHosts" but this doesn't appear to work in the way which it would do if you use "AllowHosts" with ssh for example, so I have opened a Bug...

http://bugs.contribs.org/show_bug.cgi?id=2070

[mmccarn]

The results I posted above are from a system that has *not* had the updates from 2006-11-07 installed.

Also, I repeated the test above using a "real" IP for 'AllowHosts', then confirmed that I get a happy-looking response from

openssl s_client -connect my.mail.svr:pop3s

Code: [Select]

...
Server public key is 1024 bit
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DES-CBC3-SHA
    Session-ID: 00000000C1F5E0EB3F6632640AD925466CBF07B9EB9E3099F78756840A58C91D
    Session-ID-ctx:
    Master-Key: 0147D2AD72A93F0102F06A392257A2C946ADE7C39C482F90DB298F530A77BF9C60CE9B7C16F51E804E3973FAD17E03B6
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1163687589
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
+OK <19607.1163687591@my.mail.svr>

From another host the same 'openssl' command waits a LONG time, then produces

Code: [Select]

connect: Connection timed out
connect:errno=29

[byte]

From another host the same 'openssl' command waits a LONG time, then produces

Code: [Select]

connect: Connection timed out
connect:errno=29

So from your testing it appears it doesn't work as well?

[mmccarn]

So from your testing it appears it doesn't work as well?

No, I'm trying to say that from my testing it works perfectly.  

With "e-mail access settings" configured in server-manager to "Allow public and private (secure POP3S)":

Before AllowHosts:
Host A can access pop3s OK
Host B can access pop3s OK

After AllowHosts <Host A>:
Host A can access pop3s OK
Host B cannot access pop3s

[byte]

No, I'm trying to say that from my testing it works perfectly.  

Yes your right sorry, and it does work my end I was a digit out on me IP number   having one of those days

Thanks again tho

[byte]

Here is what I done (as I wanted to restrict SSMTP too)

db configuration setprop pop3s AllowHosts x.x.x.x
db configuration setprop ssmtpd AllowHosts x.x.x.x
signal-event email-update

Now when you do grc.com the ports 465 & 995 do not show as open all time they are now stealthed.

[mmccarn]

Thanks again tho

No problem.  I can't tell you exactly when, but you posted an answer to one of my problems at some point so I wanted to do what I could!

(Besides, I know a whole lot more about AllowHosts than I did last week!)