nologin + reason -> logging reason
Hi.
I'm using nologin with own reason [1]. That works fine. For example pop3 client gets nice message like "-ERR [AUTH] Account is locked. Please contact support."
Unfortunately maillog lacks information details about why user was not allowed to log in.
pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<testuser>, method=LOGIN, rip=1.1.1.1, lip=2.2.2.2, session=<yIsRftBBmsrB7y2h>
Is it possible to log "reason" there, too? (whether it is default/internal dovecot reason or my custom one).
reason is the only thing in maillog that allows to distinguish why user was not allowed to log in.
http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
On Nov 21, 2016, at 7:39 AM, Arkadiusz Miśkiewicz arekm@maven.pl wrote:
reason is the only thing in maillog that allows to distinguish why user was not allowed to log in.
Um… the only thing? How about where you set the reason in the first place?
I think the assumption with nologin is that the admin knows the reason, especially considering that nologin is drastic and is almost certain to confuse the user’s MUA, so should only be used in dire cases.
On Monday 21 of November 2016, @lbutlr wrote:
On Nov 21, 2016, at 7:39 AM, Arkadiusz Miśkiewicz arekm@maven.pl wrote:
reason is the only thing in maillog that allows to distinguish why user was not allowed to log in.
Um… the only thing? How about where you set the reason in the first place?
That "first" place is constantly changing (database) and I'm looking at logs from X days/weeks ago, so database doesn't even have old info.
log it the only place where it would make sense to store a reason.
I think the assumption with nologin is that the admin knows the reason, especially considering that nologin is drastic and is almost certain to confuse the user’s MUA, so should only be used in dire cases.
4 different and dynamically changing reasons possible, so it's not that simple.
-- Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
On Nov 21, 2016, at 2:49 PM, Arkadiusz Miśkiewicz arekm@maven.pl wrote:
On Monday 21 of November 2016, @lbutlr wrote:
On Nov 21, 2016, at 7:39 AM, Arkadiusz Miśkiewicz arekm@maven.pl wrote:
reason is the only thing in maillog that allows to distinguish why user was not allowed to log in.
Um… the only thing? How about where you set the reason in the first place?
That "first" place is constantly changing (database) and I'm looking at logs from X days/weeks ago, so database doesn't even have old info.
I strongly suspect that nologin is the wrong way to do this.
On 21 Nov 2016, at 16.39, Arkadiusz Miśkiewicz arekm@maven.pl wrote:
Hi.
I'm using nologin with own reason [1]. That works fine. For example pop3 client gets nice message like "-ERR [AUTH] Account is locked. Please contact support."
Unfortunately maillog lacks information details about why user was not allowed to log in.
pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<testuser>, method=LOGIN, rip=1.1.1.1, lip=2.2.2.2, session=<yIsRftBBmsrB7y2h>
Is it possible to log "reason" there, too? (whether it is default/internal dovecot reason or my custom one).
Does it work if you add:
login_log_format_elements = $login_log_format_elements reason=%{passdb:reason}
On Monday 21 of November 2016, Timo Sirainen wrote:
On 21 Nov 2016, at 16.39, Arkadiusz Miśkiewicz arekm@maven.pl wrote:
Hi.
I'm using nologin with own reason [1]. That works fine. For example pop3 client gets nice message like "-ERR [AUTH] Account is locked. Please contact support."
Unfortunately maillog lacks information details about why user was not allowed to log in.
pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<testuser>, method=LOGIN, rip=1.1.1.1, lip=2.2.2.2, session=<yIsRftBBmsrB7y2h>
Is it possible to log "reason" there, too? (whether it is default/internal dovecot reason or my custom one).
Does it work if you add:
login_log_format_elements = $login_log_format_elements reason=%{passdb:reason}
Unfortunately with this empty reason is always logged (for both - allowed and nologin users)
Nov 22 07:09:08 mbox dovecot[31261]: pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<testuser>, method=LOGIN, rip=1.1.1.1, lip=2.2.2.2, session=<vq4dnN1BALXB7y2h>, reason=
while user got
-ERR [AUTH] Account is locked. Please contact support.
and I had:
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e local_name=%{local_name} %c session=<%{session}> reason=%{passdb:reason}
-- Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
participants (3)
-
@lbutlr
-
Arkadiusz Miśkiewicz
-
Timo Sirainen