I use a tinc vpn mesh between the nodes. iptables only allows the nodes to talk to each on port 655, all else is dropped. Works well. I also have a setup using zerotier for the same thing - my ansible deployment playbook will use either one.
DC. On 2023-05-14 11:29 am, Daniel Miller via dovecot wrote: > I only allow explicit service traffic through. IMAPS, SMTPS, etc. If doveadm > is communicating via the IMAP(S) ports then all I can do via firewall is > block countries. Which of course I can but I'm asking about any additional > hardening for Dovecot itself. > > -- > Daniel > > On May 13, 2023 6:25:06 PM jeremy ardley via dovecot <dovecot@dovecot.org> > wrote: > > On 14/5/23 09:14, Daniel L. Miller via dovecot wrote: > > May 12 15:45:58 cloud1 dovecot: doveadm(194.165.16.78): Error: doveadm > client not compatible with this server (mixed old and new binaries?) > May 13 03:44:31 cloud1 dovecot: doveadm(45.227.254.48): Error: doveadm > client not compatible with this server (mixed old and new binaries?) > > Since I don't recognize those IPs, the first is out of Panama and the > other is Belize, I assume these are hostile attackers trying to > exploit something. How can I defend against this? > > Set up a firewall rule that only allows access from an IP range you > control. For any other source, simply drop the connection. > > You can get really fancy and use port forwarding using ssh to connect > from remote but appear as localhost to the server. This access can be > configured in dovecot as well as firewall > > Jeremy > _______________________________________________ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
_______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
