Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: byte on November 15, 2006, 01:56:20 PM
-
Just wanted to check (because I don't allow this on my server) but if I turn on allow POP3S for private and public in the server manager then I only want to allow one ip and block all I would be doing...
db configuration setprop pop3s AllowHosts x.x.x.x
signal-event email-update
Would that then allow only the "AllowHosts" ip number then block all outside ips
Don't know everything yet about the SME Server :lol:
-
'telnet pop3s' before running '....AllowHosts...':
[root@sme ~]# telnet my.mail.svr pop3s
Trying 111.222.111.222...
Connected to my.mail.svr.
Escape character is '^]'.
'telnet pop3s' after running '...AllowHosts...':[root@sme ~]# telnet my.mail.svr pop3s
Trying 111.222.111.222...
telnet: connect to address 111.222.111.222: Connection timed out
'iptables -L' before running '...AllowHosts...':Chain InboundTCP_15310 (1 references)
target prot opt source destination
denylog all -- anywhere !my.mail.svr
ACCEPT tcp -- anywhere my.mail.svr tcp dpt:auth
ACCEPT tcp -- anywhere my.mail.svr tcp dpt:smtp
ACCEPT tcp -- anywhere my.mail.svr tcp dpt:https
ACCEPT tcp -- anywhere my.mail.svr tcp dpt:smtps
ACCEPT tcp -- anywhere my.mail.svr tcp dpt:http
ACCEPT tcp -- anywhere my.mail.svr tcp dpt:imaps
ACCEPT tcp -- anywhere my.mail.svr tcp dpt:pop3s
'iptables -L' after running '...AllowHosts 1.2.3.4':Chain InboundTCP_15310 (1 references)
target prot opt source destination
denylog all -- anywhere !my.mail.svr
ACCEPT tcp -- anywhere my.mail.svr tcp dpt:auth
ACCEPT tcp -- anywhere my.mail.svr tcp dpt:smtp
ACCEPT tcp -- anywhere my.mail.svr tcp dpt:https
ACCEPT tcp -- anywhere my.mail.svr tcp dpt:smtps
ACCEPT tcp -- anywhere my.mail.svr tcp dpt:http
ACCEPT tcp -- anywhere my.mail.svr tcp dpt:imaps
ACCEPT tcp -- 1.2.3.4 my.mail.svr tcp dpt:pop3s
"AllowHosts" extract from /etc/e-smith/templates/etc/rc.d/init.d/masq/90InboundTCP10filter_tcp:foreach my $filter ( sort {$a->prop('TCPPort') cmp $b->prop('TCPPort')}
...
my $allow_hosts = $props{AllowHosts} || '0.0.0.0/0';
...
It looks to me as though "AllowHosts" is set to '0.0.0.0/0' unless there is a specific "AllowHosts" entry for the service in question.
-
It looks to me as though "AllowHosts" is set to '0.0.0.0/0' unless there is a specific "AllowHosts" entry for the service in question.
Thanks mmccarn, I've tried using "AllowHosts" but this doesn't appear to work in the way which it would do if you use "AllowHosts" with ssh for example, so I have opened a Bug...
http://bugs.contribs.org/show_bug.cgi?id=2070
-
The results I posted above are from a system that has *not* had the updates from 2006-11-07 installed.
Also, I repeated the test above using a "real" IP for 'AllowHosts', then confirmed that I get a happy-looking response from
openssl s_client -connect my.mail.svr:pop3s...
Server public key is 1024 bit
SSL-Session:
Protocol : SSLv3
Cipher : DES-CBC3-SHA
Session-ID: 00000000C1F5E0EB3F6632640AD925466CBF07B9EB9E3099F78756840A58C91D
Session-ID-ctx:
Master-Key: 0147D2AD72A93F0102F06A392257A2C946ADE7C39C482F90DB298F530A77BF9C60CE9B7C16F51E804E3973FAD17E03B6
Key-Arg : None
Krb5 Principal: None
Start Time: 1163687589
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
+OK <19607.1163687591@my.mail.svr>
From another host the same 'openssl' command waits a LONG time, then produces connect: Connection timed out
connect:errno=29
-
From another host the same 'openssl' command waits a LONG time, then produces connect: Connection timed out
connect:errno=29
So from your testing it appears it doesn't work as well?
-
So from your testing it appears it doesn't work as well?
No, I'm trying to say that from my testing it works perfectly.
With "e-mail access settings" configured in server-manager to "Allow public and private (secure POP3S)":
Before AllowHosts:Host A can access pop3s OK
Host B can access pop3s OK
After AllowHosts <Host A>:Host A can access pop3s OK
Host B cannot access pop3s
-
No, I'm trying to say that from my testing it works perfectly.
Yes your right sorry, and it does work my end I was a digit out on me IP number :oops: having one of those days :roll:
Thanks again tho :)
-
Here is what I done (as I wanted to restrict SSMTP too)
db configuration setprop pop3s AllowHosts x.x.x.x
db configuration setprop ssmtpd AllowHosts x.x.x.x
signal-event email-update
Now when you do grc.com the ports 465 & 995 do not show as open all time they are now stealthed.
-
Thanks again tho :)
No problem. I can't tell you exactly when, but you posted an answer to one of my problems at some point so I wanted to do what I could!
(Besides, I know a whole lot more about AllowHosts than I did last week!)