[Dovecot] mail_log_events, but who exactly triggered events?
Hi.
mail_log_events is nice addition but how to log who exactly triggered particular event? For example 5 users from 5 IP addresses uses single imap user/mailbox.
One of them deletes email and I'm logging delete related events. The only logged thing is:
dovecot: imap(user): delete: box=INBOX, uid=673287, msgid=<some@thing>, size=1230
which tells me nothing about who triggered it actually (note all 5 users were logged in at deletion time)
How to solve this problem?
Thanks,
Arkadiusz Miśkiewicz, arekm / maven.pl
Am 30.01.2014 10:50, schrieb Arkadiusz Miśkiewicz:
mail_log_events is nice addition but how to log who exactly triggered particular event? For example 5 users from 5 IP addresses uses single imap user/mailbox.
One of them deletes email and I'm logging delete related events. The only logged thing is:
dovecot: imap(user): delete: box=INBOX, uid=673287, msgid=<some@thing>, size=1230
which tells me nothing about who triggered it actually (note all 5 users were logged in at deletion time)
How to solve this problem?
do not share user-logins don't do that for any service, not only mail
that's why ACL / shared mailboxes exists because in that case you have the unique username in the logs instead always the same one
On Thursday 30 of January 2014, Reindl Harald wrote:
Am 30.01.2014 10:50, schrieb Arkadiusz Miśkiewicz:
mail_log_events is nice addition but how to log who exactly triggered particular event? For example 5 users from 5 IP addresses uses single imap user/mailbox.
One of them deletes email and I'm logging delete related events. The only logged thing is:
dovecot: imap(user): delete: box=INBOX, uid=673287, msgid=<some@thing>, size=1230
which tells me nothing about who triggered it actually (note all 5 users were logged in at deletion time)
How to solve this problem?
do not share user-logins
I'm not sharing. Customers are.
don't do that for any service, not only mail
That impossible to make.
Customer creates login "abc" on my server and gives it to 10 employees to watch that mailbox.
10 employees log in to that single accound and do some actions. One of them is "bad" and deletes important mail. I want to be able to figure which one.
I have no control over customers. Also I see no sensible reason to disallow such work style.
that's why ACL / shared mailboxes exists because in that case you have the unique username in the logs instead always the same one
When customers log in: dovecot: pop3-login: Login: user=<someone1>, method=PLAIN, rip=xxx, lip=yyy, mpid=11680, session=<MR9D9y3xhwBb6rD1> dovecot: imap-login: Login: user=<someone2>, method=PLAIN, rip=aaa, lip=yyy, mpid=11682, TLS, session=<U1lD9y3xoQBPuvZx>
session id is logged. Now how to get that id logged in mail_log_events lines?
-- Arkadiusz Miśkiewicz, arekm / maven.pl
Am 30.01.2014 12:04, schrieb Arkadiusz Miśkiewicz:
On Thursday 30 of January 2014, Reindl Harald wrote:
Am 30.01.2014 10:50, schrieb Arkadiusz Miśkiewicz:
mail_log_events is nice addition but how to log who exactly triggered particular event? For example 5 users from 5 IP addresses uses single imap user/mailbox.
One of them deletes email and I'm logging delete related events. The only logged thing is:
dovecot: imap(user): delete: box=INBOX, uid=673287, msgid=<some@thing>, size=1230
which tells me nothing about who triggered it actually (note all 5 users were logged in at deletion time)
How to solve this problem?
do not share user-logins
I'm not sharing. Customers are.
don't do that for any service, not only mail
That impossible to make.
Customer creates login "abc" on my server and gives it to 10 employees to watch that mailbox.
10 employees log in to that single accound and do some actions. One of them is "bad" and deletes important mail. I want to be able to figure which one.
I have no control over customers. Also I see no sensible reason to disallow such work style
than your answer to them is simply "i can't tell who did what" as long they insist on that work style - how is that your problem?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 30 Jan 2014, Reindl Harald wrote:
Am 30.01.2014 12:04, schrieb Arkadiusz Miśkiewicz:
On Thursday 30 of January 2014, Reindl Harald wrote:
Am 30.01.2014 10:50, schrieb Arkadiusz Miśkiewicz:
mail_log_events is nice addition but how to log who exactly triggered particular event? For example 5 users from 5 IP addresses uses single imap user/mailbox.
One of them deletes email and I'm logging delete related events. The only logged thing is:
dovecot: imap(user): delete: box=INBOX, uid=673287, msgid=<some@thing>, size=1230
which tells me nothing about who triggered it actually (note all 5 users were logged in at deletion time)
How to solve this problem?
do not share user-logins
I'm not sharing. Customers are.
don't do that for any service, not only mail
That impossible to make.
Customer creates login "abc" on my server and gives it to 10 employees to watch that mailbox.
10 employees log in to that single accound and do some actions. One of them is "bad" and deletes important mail. I want to be able to figure which one.
I have no control over customers. Also I see no sensible reason to disallow such work style
than your answer to them is simply "i can't tell who did what" as long they insist on that work style - how is that your problem?
(Y)
@Arkadiusz, please tell us, if 10 people use the same account name and password, how would you as a server behind the internet with a human brain differ those 10 individuals?
The only idea I, personally, have is the IP address: Do they connect from different IP addresses _all_ the time? No NAT involved? Do you know who uses which IP address _all_ the time? If so, Dovecot logs the IP address during login and you can associate a PID with an IP address, IMHO you can add the remote IP address to the log string. Check out the variables page in the Wiki.
But, frankly, _if_ you have someone, who is >>"bad" and deletes important mail<<, you should see >>sensible reason to disallow such work style<<. The next time you see yet another IP address and don't know the user again.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUuo7dXD1/YhP6VMHAQJdBAf8CEvum1A4mZsCj2I1bJbEalvNupHJl6UQ SwXmpXa42ldOcg5UDbUG6Xy/PyBzHjGGwFsCA6feFBwDoigM9M0kXJNFw5gfrmk5 cUzAQVEMHGrWNDD/fj9I/7JmBds8/bO7sziPPwwnNtlzva98dwG9RlNdFF09+FcR TxHq9q8RRgFtWKvh0LtmIcGdJ3+YDTA4I/pZKGKeVXLnsb8+4f1Ep0W2PSMg75Dy nZ82+CKTwgzROrCMEdAFhIYJTJMDmVd939539Dexp94KsuPhkIKEF59q4NOfvZ0V OLiymyCGf3DgeCySxONU/E55ihD3RTQX3wmNk10rNOPAKD3Tg4kP0g== =6ok/ -----END PGP SIGNATURE-----
On Thursday 30 of January 2014, Steffen Kaiser wrote:
On Thu, 30 Jan 2014, Reindl Harald wrote:
Am 30.01.2014 12:04, schrieb Arkadiusz Miśkiewicz:
On Thursday 30 of January 2014, Reindl Harald wrote:
Am 30.01.2014 10:50, schrieb Arkadiusz Miśkiewicz:
mail_log_events is nice addition but how to log who exactly triggered particular event? For example 5 users from 5 IP addresses uses single imap user/mailbox.
One of them deletes email and I'm logging delete related events. The only logged thing is:
dovecot: imap(user): delete: box=INBOX, uid=673287, msgid=<some@thing>, size=1230
Here is a feature request:
Add optionally (or unconditionally) logging of session id in mail_log_events.
Timo, is this possible?
(the same session id that appears in login log entries: dovecot: imap-login: Login: user=<someone2>, method=PLAIN, rip=aaa, lip=yyy, mpid=11682, TLS, session=<U1lD9y3xoQBPuvZx>)
So for example this would get logged: dovecot: imap(user): delete: box=INBOX, uid=673287, msgid=<some@thing>, size=1230, session=<U1lD9y3xoQBPuvZx>
@Arkadiusz, please tell us, if 10 people use the same account name and password, how would you as a server behind the internet with a human brain differ those 10 individuals?
The only idea I, personally, have is the IP address: Do they connect from different IP addresses _all_ the time? No NAT involved? Do you know who uses which IP address _all_ the time? If so, Dovecot logs the IP address during login and you can associate a PID with an IP address, IMHO you can add the remote IP address to the log string. Check out the variables page in the Wiki.
But, frankly, _if_ you have someone, who is >>"bad" and deletes important mail<<, you should see >>sensible reason to disallow such work style<<. The next time you see yet another IP address and don't know the user again.
Ok, but why session id that's assigned at login cannot be logged in mail_log_events, too? Is there any technical problem with this approach?
It solves the problem (yes, assume different IP addresses; won't work obviously if the address is the same)
The discussion is now about changing the way service is used by people while I'm more interested in what dovecot can do or (enhancing) dovecot capabilities.
-- Arkadiusz Miśkiewicz, arekm / maven.pl
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 4 Feb 2014, Arkadiusz Miśkiewicz wrote:
Date: Tue, 4 Feb 2014 13:09:15 +0100 From: Arkadiusz Miśkiewicz <arekm@maven.pl> To: dovecot@dovecot.org Subject: Re: [Dovecot] mail_log_events, but who exactly triggered events? [feature request]
On Thursday 30 of January 2014, Steffen Kaiser wrote:
On Thu, 30 Jan 2014, Reindl Harald wrote:
Am 30.01.2014 12:04, schrieb Arkadiusz Miśkiewicz:
On Thursday 30 of January 2014, Reindl Harald wrote:
Am 30.01.2014 10:50, schrieb Arkadiusz Miśkiewicz:
mail_log_events is nice addition but how to log who exactly triggered particular event? For example 5 users from 5 IP addresses uses single imap user/mailbox.
One of them deletes email and I'm logging delete related events. The only logged thing is:
dovecot: imap(user): delete: box=INBOX, uid=673287, msgid=<some@thing>, size=1230
Here is a feature request:
Add optionally (or unconditionally) logging of session id in mail_log_events.
Timo, is this possible?
(the same session id that appears in login log entries: dovecot: imap-login: Login: user=<someone2>, method=PLAIN, rip=aaa, lip=yyy, mpid=11682, TLS, session=<U1lD9y3xoQBPuvZx>)
So for example this would get logged: dovecot: imap(user): delete: box=INBOX, uid=673287, msgid=<some@thing>, size=1230, session=<U1lD9y3xoQBPuvZx>
did you've tried this: http://wiki2.dovecot.org/Variables there is the session variable and the mail_log_prefix setting. Should work, IMHO.
@Arkadiusz, please tell us, if 10 people use the same account name and password, how would you as a server behind the internet with a human brain differ those 10 individuals?
The only idea I, personally, have is the IP address: Do they connect from different IP addresses _all_ the time? No NAT involved? Do you know who uses which IP address _all_ the time? If so, Dovecot logs the IP address during login and you can associate a PID with an IP address, IMHO you can add the remote IP address to the log string. Check out the variables page in the Wiki.
But, frankly, _if_ you have someone, who is >>"bad" and deletes important mail<<, you should see >>sensible reason to disallow such work style<<. The next time you see yet another IP address and don't know the user again.
Ok, but why session id that's assigned at login cannot be logged in mail_log_events, too? Is there any technical problem with this approach?
It solves the problem (yes, assume different IP addresses; won't work obviously if the address is the same)
The discussion is now about changing the way service is used by people while I'm more interested in what dovecot can do or (enhancing) dovecot capabilities.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUvDil3D1/YhP6VMHAQKYPAf/Y19YFhmfNUcOa8AckcE5u1G9b36za9MH HS2hcTjKI4k1iKHFhMS7cdKoeH0uHQaq0SWOhqH8jAssDh+YpnOTrmAdr2gJDHVi rX9JSXoD/VgkQKptoc+EEgumEnHIrdu0GNjp5Jz2kKjM0prv+GscTJuoaSMhOjr2 xL/BxW3q85HsGmSQbxbHp5mcZiBZe0WFrz0U/vAfA0LO/mUBYfNmze+BXM867asc aMEtMk9JahBUEPuNOzxqU9Qf70LlYkfV2Fw48+tpuGByG7yjkI5OXc8Flh47Z0jN 4OAHSPwVblh7LJuOM7DAlpPO8mbJOlVhMVxDisazxDwHO1oTq1rnPQ== =oGnE -----END PGP SIGNATURE-----
participants (3)
-
Arkadiusz Miśkiewicz
-
Reindl Harald
-
Steffen Kaiser