Ciao Fabrizio,

set login_trusted_networks to point to the proxies in the backends. This way you’ll get the clients’ actual IP addresses logged instead of the proxy’s.

https://doc.dovecot.org/settings/core/#core_setting-login_trusted_networks

Il 19/04/23 09:18, Fabrizio Cuseo ha scritto:

Good morning.
I am planning a dovecot system with:
- 3 x glusterfs servers (with 2 volumes, 1 ssd for short term mail, and 1 with bigger hdd for long term archive mail)
- 1 x mysql server (another server with active replica will be added)
- 3 x mbox servers (with dovecot pop/imap/lmpt/sieve/postfix)
- 3 x dovecot proxy/directors for pop3/imap/smtp
- 4 x proxmox mail gateway for antispam/antivirus in front of smtp servers
- 1 x centralized syslog server

All have private ip addresses, and in front there is a firewall with HA_proxy to make high availability and load balancing.


My only problem now is using last_login plugin; i have configured on the mailbox servers on pop3/imap, but the ip address that is written on mysql is the proxy/director address, not the real client ip address.
No results using real_remote_ip.

Apr 19 09:14:31 mailbox-01 dovecot: pop3-login: Login: user=<username@domain.it>, method=PLAIN, rip=172.16.27.31, lip=172.16.27.21, mpid=19723, session=<42nHLKv5JsqsEBsf>
Apr 19 09:14:31 mailproxy-01 dovecot: pop3-login: proxy(username@domain.it,172.16.27.21:110): Started proxying to 172.16.27.21 (1.978 secs): user=<username@domain.it>, method=PLAIN, rip=212.66.96.188, lip=172.16.27.31, session=<u4+wLKv5ZUjUQmC8>
Apr 19 09:14:34 mailbox-01 dovecot: pop3(username@domain.it)<19723><42nHLKv5JsqsEBsf>: Disconnected: Logged out top=0/0, retr=0/0, del=0/37, size=115779706
Apr 19 09:14:34 mailproxy-01 dovecot: pop3-login: proxy(username@domain.it,172.16.27.21:110): Disconnected by server (0s idle, in=45, out=82): user=<username@domain.it>, method=PLAIN, rip=212.66.96.188, lip=172.16.27.31, session=<u4+wLKv5ZUjUQmC8>


in db I have last_ip: 172.16.27.31, not 212.66.96.188

-------------


dovecot -n 
# 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.16 (09c29328)
# OS: Linux 5.15.0-69-generic x86_64 Ubuntu 22.04.2 LTS 
# Hostname: mailbox-01
auth_default_realm = XXXXXXXX.it
default_client_limit = 2500
dict {
  mysql = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
  sieve = mysql:/etc/dovecot/dict-sieve-sql.conf
  sql = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
}
disable_plaintext_auth = no
doveadm_api_key = # hidden, use -P to show it
first_valid_gid = 89
first_valid_uid = 89
imap_client_workarounds = tb-extra-mailbox-sep delay-newmail
login_greeting = Welcome to mail server
mail_fsync = always
mail_gid = 89
mail_location = mbox:~/mail:INBOX=/var/mail/%u
mail_plugins = quota
mail_privileged_group = mail
mail_uid = 89
mailbox_list_index_very_dirty_syncs = yes
mdbox_rotate_size = 128 M
mmap_disable = yes
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
  separator = .
}
passdb {
  driver = pam
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  last_login_dict = proxy::sql
  last_login_key = # hidden, use -P to show it
  last_login_precision = ms
  quota = count:User quota
  quota_clone_dict = proxy::mysql
  quota_grace = 50M
  quota_rule2 = Trash:storage=+100M
  quota_vsizes = yes
  quota_warning = storage=95%% quota-warning 95 %u
  quota_warning2 = storage=80%% quota-warning 80 %u
  sieve = dict:proxy::sieve;name=active
  sieve_extensions = +vacation-seconds
  sieve_vacation_default_period = 7d
  sieve_vacation_max_period = 30d
  sieve_vacation_min_period = 1h
}
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
protocols = " imap lmtp pop3"
service dict {
  unix_listener dict {
    group = mail2023
    mode = 0660
    user = mail2023
  }
}
service doveadm {
  inet_listener {
    port = 2425
  }
  inet_listener http {
    port = 8080
  }
  unix_listener doveadm-server {
    user = mail2023
  }
}
service imap {
  process_limit = 1024
}
service lmtp {
  inet_listener lmtp {
    port = 24
  }
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = mail2023
    mode = 0666
    user = mail2023
  }
}
service pop3 {
  process_limit = 250
}
service quota-warning {
  executable = script /usr/local/bin/quota-warning.sh
  unix_listener quota-warning {
    mode = 0666
    user = mail2023
  }
  user = mail2023
}
service stats {
  unix_listener stats-reader {
    group = mail2023
    mode = 0660
    user = mail2023
  }
  unix_listener stats-writer {
    group = mail2023
    mode = 0660
    user = mail2023
  }
}
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
  driver = passwd
}
userdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
protocol lmtp {
  mail_plugins = quota sieve quota quota_clone
}
protocol !indexer-worker {
  mail_vsize_bg_after_count = 100
}
protocol lda {
  mail_plugins = quota sieve quota quota_clone
}
protocol imap {
  mail_max_userip_connections = 10
  mail_plugins = quota quota imap_quota quota_clone last_login
}
protocol pop3 {
  mail_max_userip_connections = 2
  mail_plugins = quota quota quota_clone last_login
}



in dovecot-dict-sql.conf.ext there is:

map {
  pattern = shared/last-login/$service/$user/$remote_ip
  table = mail_last_login
  value_field = last_access
  value_type = uint

  fields {
    userid = $user
    service = $service
    last_ip = $remote_ip
  }
}

-- 
Alessio Cecchi
Postmaster @ http://www.qboxmail.it
https://www.linkedin.com/in/alessice

_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.org