[Dovecot] Proxy logging destuser
Hi All
My first post to the list, so "hello world"!
Having searched the list archives and the wiki for an answer to this, I don't think it is possible. However, let me ask nonetheless...
Is it possible for a Dovecot proxy's login process (IMAP and POP3) to include the "destuser", i.e. the uid used to authenticate to the backend IMAP/POP3 server, in its logging? "%u" gives me the uid provided by the client of course, but it would useful for my purposes to catch the "destuser" in the same log line.
The only way to get the proxy to log "destuser" at all, as far as I can figure out, is to enable "auth debug" - not something I want to do in a production environment.
Thanking-you, Paul
New from MWEB: Cellphone and Internet bundles! Bundle your Internet access with your cellular contract from R75 per month. Call 08600 32000 or click here(http://www.mweb.co.za/productsservices/MTALKMobile/tabid/1223/Default.aspx) for more info on the great deals available.
MWEB :-) JUST LIKE THAT
On Aug 14, 2008, at 2:36 AM, Paul Gamble - MWEB wrote:
Is it possible for a Dovecot proxy's login process (IMAP and POP3) to include the "destuser", i.e. the uid used to authenticate to the
backend IMAP/POP3 server, in its logging? "%u" gives me the uid provided by
the client of course, but it would useful for my purposes to catch the "destuser" in the same log line.
Could you try if this patch works: http://hg.dovecot.org/dovecot-1.1/raw-rev/5d0406541434
Hi Timo
Thanks very much, hadn't finished my morning coffee and already a patch :)
The patch does the trick:
- My dovecot.conf for the proxy: ... login_log_format_elements = pid=%p user=%u method=%m rsock=%r:%b lsock=%l:%a proto=%s %c login_log_format = MYPROXY %s %$: ...
- gives me, via syslog: Aug 14 10:14:03 withnail dovecot: imap-login: MYPROXY pid=6516, user=pgamble@abc.co.za, method=PLAIN, rsock=127.0.0.1:48157, lsock=127.0.0.1:1143, proto=IMAP, secured proxy(pgamble@abc.co.za): started proxying to 127.0.0.1:143/pgamble*master: Aug 14 10:26:02 withnail dovecot: pop3-login: MYPROXY pid=6514, user=pgamble@abc.co.za, method=PLAIN, rsock=127.0.0.1:55991, lsock=127.0.0.1:1110, proto=POP3, secured proxy(pgamble@abc.co.za): started proxying to 127.0.0.1:110/pgamble*master:
This is just on a dev box, hence the odd IP's, log format, etc.
I'm using "master authentication" for the backend auth and so the the master user and separator character are imbedded in the backend user, i.e. "client->proxy_user", ("pgamble*master" above) and it would be convenient to have them available separately, but I can live with it as-is.
So...great stuff, thanks very much! What is your approach with regards to incorporating these kinds of patches (in response to ad-hoc user requests) into your main development tree? It would obviously be nice to know that this will be incorporated at some point... Would it be feasible to add a "config variable" for this (along the lines of %u, %p, %s, etc, etc)?
Regards, Paul Gamble
-----Original Message----- From: dovecot-bounces+pgamble=mweb.com@dovecot.org [mailto:dovecot-bounces+pgamble=mweb.com@dovecot.org] On Behalf Of Timo Sirainen Sent: 14 August 2008 09:12 AM To: Paul Gamble - MWEB Cc: dovecot@dovecot.org Subject: Re: [Dovecot] Proxy logging destuser
On Aug 14, 2008, at 2:36 AM, Paul Gamble - MWEB wrote:
Is it possible for a Dovecot proxy's login process (IMAP and POP3) to include the "destuser", i.e. the uid used to authenticate to the backend IMAP/POP3 server, in its logging? "%u" gives me the uid provided by the client of course, but it would useful for my purposes to catch the
"destuser" in the same log line.
Could you try if this patch works: http://hg.dovecot.org/dovecot-1.1/raw-rev/5d0406541434
New from MWEB: Cellphone and Internet bundles! Bundle your Internet access with your cellular contract from R75 per month. Call 08600 32000 or click here(http://www.mweb.co.za/productsservices/MTALKMobile/tabid/1223/Default.aspx) for more info on the great deals available.
MWEB :-) JUST LIKE THAT
On Aug 14, 2008, at 4:42 AM, Paul Gamble - MWEB wrote:
Aug 14 10:14:03 withnail dovecot: imap-login: MYPROXY pid=6516, user=pgamble@abc.co.za, method=PLAIN, rsock=127.0.0.1:48157, lsock=127.0.0.1:1143, proto=IMAP, secured proxy(pgamble@abc.co.za): started proxying to 127.0.0.1:143/pgamble*master: Aug 14 10:26:02 withnail dovecot: pop3-login: MYPROXY pid=6514, user=pgamble@abc.co.za, method=PLAIN, rsock=127.0.0.1:55991, lsock=127.0.0.1:1110, proto=POP3, secured proxy(pgamble@abc.co.za): started proxying to 127.0.0.1:110/pgamble*master:
This is just on a dev box, hence the odd IP's, log format, etc.
I'm using "master authentication" for the backend auth and so the the master user and separator character are imbedded in the backend user, i.e. "client->proxy_user", ("pgamble*master" above) and it would be convenient to have them available separately, but I can live with it as-is.
So...great stuff, thanks very much! What is your approach with regards to incorporating these kinds of patches (in response to ad-hoc user requests) into your main development tree? It would obviously be
nice to know that this will be incorporated at some point...
The URL I gave was to the main v1.1 tree. So this feature will be in
v1.1.3.
Would it be feasible to add a "config variable" for this (along the lines of %u,
%p, %s, etc, etc)?
That is getting a bit crowded already. And that's proxy-specific thing
so you should then have variables for the destination host and port as
well.
Hi Timo
The patch you provided to allow Dovecot-as-proxy's login processes to log the "destuser" only does so for successful authentications/logins. What is the possibility that this information could additionally be logged for successful lookups, but failed authentication, e.g. valid user-name/invalid password?
The patch mentioned is: http://hg.dovecot.org/dovecot-1.1/raw-rev/5d0406541434
Regards
-----Original Message----- From: Timo Sirainen [mailto:tss@iki.fi] Sent: 14 August 2008 10:22 PM To: Paul Gamble - MWEB Cc: Dovecot Mailing List Subject: Re: [Dovecot] Proxy logging destuser New from MWEB: Cellphone and Internet bundles! Bundle your Internet access with your cellular contract from R75 per month. Call 08600 32000 or click here(http://www.mweb.co.za/productsservices/MTALKMobile/tabid/1223/Default.aspx) for more info on the great deals available.
MWEB :-) JUST LIKE THAT
On Tue, 2008-08-26 at 07:20 +0200, Paul Gamble - MWEB wrote:
Hi Timo
The patch you provided to allow Dovecot-as-proxy's login processes to log the "destuser" only does so for successful authentications/logins. What is the possibility that this information could additionally be logged for successful lookups, but failed authentication, e.g. valid user-name/invalid password?
How about each login attempt is logged with auth_verbose=yes?
participants (2)
-
Paul Gamble - MWEB
-
Timo Sirainen