[Dovecot] Log format question...
Trying to do a little (cosmetic) tweak to my configuration and just don't seem to be able to come up with a set of options that works.
My POP/IMAP configuration is working just fine in terms of mail retrieval, etc. What I'm seeing in the logs now is...
Aug 13 18:15:17 test2 dovecot: pop3-login: Login: user=<support>, method=PLAIN, rip=10.11.12.12, lip=10.11.12.13
I would prefer (for ease of troubleshooting) to have "user=support@realm.com" appear in the logs instead, to save having to figure the realm from the IP value. Have played around with various combinations of %u, %n and %d and all I seem to be able to accomplish is break the working part of the config. I'm sure the answer is probably something simple, or some combination I haven't tried... but it's certainly escaping me at the moment.
The relevant (I think) part of my config follows. The usernames in the mentioned passwd and shadow files are in the 'user' format (ie. not 'user@realm').
--snip-- mail_location = mbox:/vhome/%l/home/%n/mail:INBOX=/var/spool/vmail/%l/%n auth_username_format = %n passdb passwd-file { args = /etc/vmail/shadow.%l } userdb passwd-file { args = /etc/vmail/passwd.%l } login_log_format_elements = user=<%u> method=%m rip=%r lip=%l %c --snip--
Hints and suggestions appreciated!
Cheers,
Mike <<<<<
On Mon, 2007-08-13 at 18:44 -0600, Mike Cisar wrote:
auth_username_format = %n
This setting drops the domain part permanently.
passdb passwd-file { args = /etc/vmail/shadow.%l } userdb passwd-file { args = /etc/vmail/passwd.%l }
Unfortunately you can't tell Dovecot to look up only username from these files without dropping the domain..
Perhaps it would be possible to set back the domain in these files though. You could try adding "user=user@domain" to extra fields in shadow. Or "userdb_user=user@domain" in passwd.
auth_username_format = %n
This setting drops the domain part permanently.
Unfortunately you can't tell Dovecot to look up only username from these files without dropping the domain..
Thanks Timo. What I don't understand is that given...
%u - username %n - user part in user@domain, same as %u if there's no domain %d - domain part in user@domain, empty if user there's no domain
Even if I'm the configuration requires uses %n as the auth username... shouldn't the domain part still be available to me in %d (and likewise the full user@domain still in %u). In my mind it doesn't make sense (though it may make perfect sense to you, knowing how the coding is done) that %u should be permenantly stripped to match %n and %d is blanked... If I know that I need to use %n to look up the authentication and somewhere else in the process I also needed to have just the username part, I would just use %n again. Obviously the %d part is valid at some point, since I can (though in my configuration I chose %l instead) use it to specify the correct path to the passdb and userdb. Since as it stands, in effect %u and %d have one value in some places and a different one in another.
I guess the easiest way of explaining what I mean is to say... is there any reason (programming-wise) that the value of %u can't always be left the full user@domain from the client request, %n always be just the username portion and %d always the domain portion... from the start of execution of the client request to the end? Treated as constants rather than modified partway through the execution? Whether we use %n in one spot doesn't seem to negate that we might want %u and %d for something somewhere else.
As I type, now that I think of it, I can see that having the value of %u change to represent the "username as used" as opposed to "username as submitted by client" could make sense. Maybe just %n and %d should/could be left constant? I could easily build the "user@domain" that I want in the logfile entry with "%n@%d"... If I still had the domain in %d.
Cheers,
Mike <<<<<
On Sat, 2007-08-25 at 10:48 -0600, Mike Cisar wrote:
auth_username_format = %n
This setting drops the domain part permanently.
I guess the easiest way of explaining what I mean is to say... is there any reason (programming-wise) that the value of %u can't always be left the full user@domain from the client request, %n always be just the username portion and %d always the domain portion... from the start of execution of the client request to the end? Treated as constants rather than modified partway through the execution? Whether we use %n in one spot doesn't seem to negate that we might want %u and %d for something somewhere else.
The problem is how auth_username_format works. It permanently changes %u (and as a result %n and %d too) to the newly specified format, which in your case drops the domain.
Perhaps it should only change %u temporarily for the passdb and userdb lookups, but still not touch the username sent to mail process. Except some people probably want it to change it permanently, so I can't just change the behavior without possibly breaking existing setups. And I don't really like adding a new auth_username_lookup_format setting either, there are too many settings already. Hmm.
participants (2)
-
Mike Cisar
-
Timo Sirainen