Get a list of currently active IMAP connections?
Hello Dovecot community,
I have a question: is it possible to programmatically get from Dovecot a list of currently active IMAP sessions (with IP addresses)? Via a plugin or something?
Or just check if there is an IMAP session currently open from a particular IP address, with true/false type answer?
I'm planning to implement a policy service for *Postfix* that will revive the old "POP before SMTP" authorization concept (only it will be "IMAP before SMTP" this time). This policy service will reject connections to mail submission ports (465, 587) - without even going to SMTP AUTH phase - unless the connecting IP address has currently an IMAP session open to Dovecot, to mitigate SMTP AUTH attacks.
But for this I need some way to check from within this policy service if the particular IP address has a connection open or not. It could be of course obtained by scanning Dovecot logs, but this involves quite a large overhead. Therefore I'm looking for the way to get this information directly from Dovecot's current state.
Can you advise me of any way to do this?
Or maybe someone has already written such a piece of software and it is available somewhere on the Net?
Regards, Jaroslaw Rafa raj@rafa.eu.org
"In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Have you tried doveadm who?
Aki
On 16/08/2022 23:15 EEST Jaroslaw Rafa raj@rafa.eu.org wrote:
Hello Dovecot community,
I have a question: is it possible to programmatically get from Dovecot a list of currently active IMAP sessions (with IP addresses)? Via a plugin or something?
Or just check if there is an IMAP session currently open from a particular IP address, with true/false type answer?
I'm planning to implement a policy service for *Postfix* that will revive the old "POP before SMTP" authorization concept (only it will be "IMAP before SMTP" this time). This policy service will reject connections to mail submission ports (465, 587) - without even going to SMTP AUTH phase - unless the connecting IP address has currently an IMAP session open to Dovecot, to mitigate SMTP AUTH attacks.
But for this I need some way to check from within this policy service if the particular IP address has a connection open or not. It could be of course obtained by scanning Dovecot logs, but this involves quite a large overhead. Therefore I'm looking for the way to get this information directly from Dovecot's current state.
Can you advise me of any way to do this?
Or maybe someone has already written such a piece of software and it is available somewhere on the Net?
Regards, Jaroslaw Rafa raj@rafa.eu.org
"In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Dnia 16.08.2022 o godz. 23:19:14 Aki Tuomi pisze:
Have you tried
doveadm who?
Why haven't I found it in the documentation? I was really searching... :) Thank you!
But this still requires launching an external executable for each connection request. Optimal solution would be to get it via some socket, or something like this...
Regards, Jaroslaw Rafa raj@rafa.eu.org
"In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
On 16/08/2022 23:34 EEST Jaroslaw Rafa raj@rafa.eu.org wrote:
Dnia 16.08.2022 o godz. 23:19:14 Aki Tuomi pisze:
Have you tried
doveadm who?Why haven't I found it in the documentation? I was really searching... :) Thank you!
But this still requires launching an external executable for each connection request. Optimal solution would be to get it via some socket, or something like this...
Regards, Jaroslaw Rafa raj@rafa.eu.org
doveadm_password = secret
service doveadm { inet_listener http { port = 8080 } }
should allow you to use who command over HTTP API.
Aki
Dnia 16.08.2022 o godz. 23:37:05 Aki Tuomi pisze:
doveadm_password = secret
service doveadm { inet_listener http { port = 8080 } }
should allow you to use
whocommand over HTTP API.
It's an interesting option, but after looking into "doveadm" source code I was able to reimplement the query that "doveadm who" does with a few lines of simple Perl code. It's exactly what I want, as it can be easily integrated into a policy service written in Perl.
Thanks again for pointing me in the right direction.
If anybody is interested, here's the code:
#!/usr/bin/perl
use IO::Socket::UNIX qw( SOCK_STREAM );
$sockpath="/var/run/dovecot/anvil";
my $socket = IO::Socket::UNIX->new( Type => SOCK_STREAM, Peer => $sockpath, ) or die("Can't connect to $sockpath");
$ANVIL_HANDSHAKE="VERSION\tanvil\t1\t0\n"; $ANVIL_CMD=$ANVIL_HANDSHAKE."CONNECT-DUMP\n";
$socket->send($ANVIL_CMD) or die "Socket write error"; $socket->recv($buffer, 65536, 0) or die "Socket read error"; chomp($buffer); close($socket);
@lines=split(/\n/, $buffer); foreach $line (@lines) { #print "$line\n"; if ($line =~ m#^imap/([0-9A-Fa-f.:]+)/([^\t]+)\t#) { print "IP=$1 user=$2\n"; } }
-- Regards, Jaroslaw Rafa raj@rafa.eu.org
"In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Dnia 16.08.2022 o godz. 23:54:00 Jaroslaw Rafa pisze:
It's an interesting option, but after looking into "doveadm" source code I was able to reimplement the query that "doveadm who" does with a few lines of simple Perl code. It's exactly what I want, as it can be easily integrated into a policy service written in Perl.
I have one more question regarding this.
My service needs to access the socket /var/run/dovecot/anvil. The problem is that this socket (at least on my system) has permissions only for root:
srw------- 1 root root 0 May 22 2020 /var/run/dovecot/anvil
And I don't think it's a good idea to run my service as root. Is it possible to add permission to this socket for another user? If yes, what should I change in Dovecot config?
Regards, Jaroslaw Rafa raj@rafa.eu.org
"In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Dnia 20.08.2022 o godz. 19:34:03 Jaroslaw Rafa pisze:
I have one more question regarding this.
My service needs to access the socket /var/run/dovecot/anvil. The problem is that this socket (at least on my system) has permissions only for root:
srw------- 1 root root 0 May 22 2020 /var/run/dovecot/anvil
And I don't think it's a good idea to run my service as root. Is it possible to add permission to this socket for another user? If yes, what should I change in Dovecot config?
Well, documentation is not very clear on this, but by trial and error I was able to change /var/run/dovecot/anvil socket permissions to:
srw-rw---- 1 root dovecot 0 Aug 21 20:47 /var/run/dovecot/anvil
by putting the following lines into Dovecot configuration:
# this is needed for Postfix IMAP-before-SMTP policy service to access anvil service anvil { unix_listener anvil { user = root group = dovecot mode = 0660 } }
Then my service can run under the user "dovecot" and access anvil.
So I'd like to ask - do I create any security risk by changing the anvil socket permissions like above and running my service under "dovecot" user?
Or is it better that I create a special user dedicated only for this service and run the service under that user?
Regards, Jaroslaw Rafa raj@rafa.eu.org
"In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
At the risk of being pedestrian, I just use something like sudo netstat -an | grep ‘:[ IMAP_PORT ]’
I’m pretty sure you thought of this but still, thought I would toss it out…
Cheers
On 16 Aug 2022, at 13:15, Jaroslaw Rafa wrote:
Hello Dovecot community,
I have a question: is it possible to programmatically get from Dovecot a list of currently active IMAP sessions (with IP addresses)? Via a plugin or something?
Or just check if there is an IMAP session currently open from a particular IP address, with true/false type answer?
I'm planning to implement a policy service for *Postfix* that will revive the old "POP before SMTP" authorization concept (only it will be "IMAP before SMTP" this time). This policy service will reject connections to mail submission ports (465, 587) - without even going to SMTP AUTH phase - unless the connecting IP address has currently an IMAP session open to Dovecot, to mitigate SMTP AUTH attacks.
But for this I need some way to check from within this policy service if the particular IP address has a connection open or not. It could be of course obtained by scanning Dovecot logs, but this involves quite a large overhead. Therefore I'm looking for the way to get this information directly from Dovecot's current state.
Can you advise me of any way to do this?
Or maybe someone has already written such a piece of software and it is available somewhere on the Net?
Regards, Jaroslaw Rafa raj@rafa.eu.org
"In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
On 2022-08-16 16:46, Antonio Leding wrote:
At the risk of being pedestrian, I just use something like |sudo netstat -an | grep ‘:[ IMAP_PORT ]’|
I’m pretty sure you thought of this but still, thought I would toss it out…
Hi Antonio and Jaroslaw,
I don't think the second solution is pedestrian; I think it's cool that people have come up with different solutions for the same problem!
I am thinking that this may not be the solution that Jaroslaw is looking for, as this also requires spawning a process to run netstat and then capturing the results. The socket approach avoids an additional process.
- J
I use ps : (greping by imap & idle)
# ps -axww | grep imap | grep IDLE
thant and split() in python
8606 - S 0:08.78 imap: [keith@elirpa.com 54.242.98.60 IDLE] (imap) 12234 - I 0:01.00 imap: [reception@clancyca.com 72.143.119.178 IDLE] (imap) 20668 - S 0:02.01 imap: [paul@scom.ca 216.58.25.131 IDLE] (imap) 23219 - I 0:00.33 imap: [clancy@clancyca.com 72.143.119.178 IDLE] (imap) 26761 - S 0:00.52 imap: [ed.hanna@ekst.ca 204.237.91.165 IDLE] (imap) 26785 - I 0:00.87 imap: [ed@scom.ca 204.237.91.165 IDLE] (imap) 26787 - I 0:00.80 imap: [ed.hanna@dssmgmt.com 204.237.91.165 IDLE] (imap) 27378 - S 0:00.42 imap: [ed@scom.ca 204.237.91.165 IDLE] (imap) 31404 - S 0:03.90 imap: [paul@scom.ca 216.58.25.131 IDLE] (imap) 32494 - S 0:00.13 imap: [installers@tomkudla.ca 167.94.196.10 IDLE] (imap) 32497 - S 0:00.13 imap: [installers@tomkudla.ca 167.94.196.10 IDLE] (imap) 33809 - I 0:00.28 imap: [clancy@clancyca.com 72.143.119.178 IDLE] (imap) 36321 - I 0:00.21 imap: [clancy@clancyca.com 72.143.119.178 IDLE] (imap) 39188 - I 0:00.39 imap: [clancy@clancyca.com 72.143.119.178 IDLE] (imap) 42706 - S 0:00.45 imap: [ed@scom.ca 204.237.91.165 IDLE] (imap) 46356 - S 0:02.98 imap: [rcooke@tnky.ca 198.91.141.141 IDLE] (imap) 46422 - S 0:01.32 imap: [rcooke@tnky.ca 198.91.141.141 IDLE] (imap) 46424 - S 0:01.27 imap: [rcooke@tnky.ca 198.91.141.141 IDLE] (imap) 50756 - S 0:01.36 imap: [rcooke@tnky.ca 198.91.141.141 IDLE] (imap) 58656 - I 0:00.07 imap: [ditchburn@clancyca.com 216.58.50.30 IDLE] (imap) 63886 - S 0:00.70 imap: [rcooke@tnky.ca 198.91.141.141 IDLE] (imap) 68246 - I 0:00.08 imap: [li@clancyca.com 72.143.119.178 IDLE] (imap) 74719 - I 0:00.03 imap: [dan@elirpa.com 142.183.30.44 IDLE] (imap) 76580 - I 0:00.02 imap: [info@willsagriquipandfencing.ca 173.32.244.194 IDLE] (imap) 76584 - I 0:00.02 imap: [howard@willsagriquipandfencing.ca 173.32.244.194 IDLE] (imap) 77567 - S 0:00.04 imap: [rcooke@tnky.ca 198.91.141.141 IDLE] (imap) 77569 - I 0:00.03 imap: [rcooke@tnky.ca 198.91.141.141 IDLE] (imap)
Happy Friday !!! Thanks - paul
Paul Kudla
Scom.ca Internet Services http://www.scom.ca 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3
Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email paul@scom.ca
On 8/18/2022 6:28 PM, J Doe wrote:
On 2022-08-16 16:46, Antonio Leding wrote:
At the risk of being pedestrian, I just use something like |sudo netstat -an | grep ‘:[ IMAP_PORT ]’|
I’m pretty sure you thought of this but still, thought I would toss it out…
Hi Antonio and Jaroslaw,
I don't think the second solution is pedestrian; I think it's cool that people have come up with different solutions for the same problem!
I am thinking that this may not be the solution that Jaroslaw is looking for, as this also requires spawning a process to run netstat and then capturing the results. The socket approach avoids an additional process.
- J
Hi Paul, with your command syntax I get no account/IP on Debian GNU/Linux:
$ ps -axww | grep imap 19024 ? S 0:00 dovecot/imap 19696 ? S 0:00 dovecot/imap 20515 ? S 0:04 dovecot/imap 22247 pts/4 S+ 0:00 grep imap 24720 ? S 0:03 dovecot/imap 24991 ? S 0:00 dovecot/imap 25446 ? S 0:03 dovecot/imap 25447 ? S 0:04 dovecot/imap 25475 ? S 0:03 dovecot/imap 31778 ? S 6:10 dovecot/imap-login
Narcis Garcia
I'm using this dedicated address because personal addresses aren't masked enough at this mail public archive. Public archive administrator should fix this against automated addresses collectors. El 19/8/22 a les 8:22, Paul Kudla (SCOM.CA Internet Services Inc.) ha escrit:
I use ps : (greping by imap & idle)
# ps -axww | grep imap | grep IDLE
thant and split() in python
8606 - S 0:08.78 imap: [keith@elirpa.com 54.242.98.60 IDLE] (imap) 12234 - I 0:01.00 imap: [reception@clancyca.com 72.143.119.178 IDLE] (imap) 20668 - S 0:02.01 imap: [paul@scom.ca 216.58.25.131 IDLE] (imap) 23219 - I 0:00.33 imap: [clancy@clancyca.com 72.143.119.178 IDLE] (imap) 26761 - S 0:00.52 imap: [ed.hanna@ekst.ca 204.237.91.165 IDLE] (imap) 26785 - I 0:00.87 imap: [ed@scom.ca 204.237.91.165 IDLE] (imap) 26787 - I 0:00.80 imap: [ed.hanna@dssmgmt.com 204.237.91.165 IDLE] (imap) 27378 - S 0:00.42 imap: [ed@scom.ca 204.237.91.165 IDLE] (imap) 31404 - S 0:03.90 imap: [paul@scom.ca 216.58.25.131 IDLE] (imap) 32494 - S 0:00.13 imap: [installers@tomkudla.ca 167.94.196.10 IDLE] (imap) 32497 - S 0:00.13 imap: [installers@tomkudla.ca 167.94.196.10 IDLE] (imap) 33809 - I 0:00.28 imap: [clancy@clancyca.com 72.143.119.178 IDLE] (imap) 36321 - I 0:00.21 imap: [clancy@clancyca.com 72.143.119.178 IDLE] (imap) 39188 - I 0:00.39 imap: [clancy@clancyca.com 72.143.119.178 IDLE] (imap) 42706 - S 0:00.45 imap: [ed@scom.ca 204.237.91.165 IDLE] (imap) 46356 - S 0:02.98 imap: [rcooke@tnky.ca 198.91.141.141 IDLE] (imap) 46422 - S 0:01.32 imap: [rcooke@tnky.ca 198.91.141.141 IDLE] (imap) 46424 - S 0:01.27 imap: [rcooke@tnky.ca 198.91.141.141 IDLE] (imap) 50756 - S 0:01.36 imap: [rcooke@tnky.ca 198.91.141.141 IDLE] (imap) 58656 - I 0:00.07 imap: [ditchburn@clancyca.com 216.58.50.30 IDLE] (imap) 63886 - S 0:00.70 imap: [rcooke@tnky.ca 198.91.141.141 IDLE] (imap) 68246 - I 0:00.08 imap: [li@clancyca.com 72.143.119.178 IDLE] (imap) 74719 - I 0:00.03 imap: [dan@elirpa.com 142.183.30.44 IDLE] (imap) 76580 - I 0:00.02 imap: [info@willsagriquipandfencing.ca 173.32.244.194 IDLE] (imap) 76584 - I 0:00.02 imap: [howard@willsagriquipandfencing.ca 173.32.244.194 IDLE] (imap) 77567 - S 0:00.04 imap: [rcooke@tnky.ca 198.91.141.141 IDLE] (imap) 77569 - I 0:00.03 imap: [rcooke@tnky.ca 198.91.141.141 IDLE] (imap)
Happy Friday !!! Thanks - paul
Paul Kudla
Scom.ca Internet Services http://www.scom.ca 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3
Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email paul@scom.ca
On 8/18/2022 6:28 PM, J Doe wrote:
On 2022-08-16 16:46, Antonio Leding wrote:
At the risk of being pedestrian, I just use something like |sudo netstat -an | grep ‘:[ IMAP_PORT ]’|
I’m pretty sure you thought of this but still, thought I would toss it out…
Hi Antonio and Jaroslaw,
I don't think the second solution is pedestrian; I think it's cool that people have come up with different solutions for the same problem!
I am thinking that this may not be the solution that Jaroslaw is looking for, as this also requires spawning a process to run netstat and then capturing the results. The socket approach avoids an additional process.
- J
Add verbose_proctitle = yes to your config to get usernames and IPs in the ps listing.
What config?
I see no configuration file documented on ps manpage.
Narcis Garcia
I'm using this dedicated address because personal addresses aren't masked enough at this mail public archive. Public archive administrator should fix this against automated addresses collectors. El 19/8/22 a les 9:33, 202107-dovecot@planhack.com ha escrit:
Add
verbose_proctitle = yesto your config to get usernames and IPs in the ps listing.
dovecot.conf, not ps config.
Aki
On 19/08/2022 10:38 EEST Narcis Garcia debianlists@actiu.net wrote:
What config?
I see no configuration file documented on ps manpage.
Narcis Garcia
I'm using this dedicated address because personal addresses aren't masked enough at this mail public archive. Public archive administrator should fix this against automated addresses collectors. El 19/8/22 a les 9:33, 202107-dovecot@planhack.com ha escrit:
Add
verbose_proctitle = yesto your config to get usernames and IPs in the ps listing.
Do you mean ps is reading dovecot.conf ?!
Narcis Garcia
I'm using this dedicated address because personal addresses aren't masked enough at this mail public archive. Public archive administrator should fix this against automated addresses collectors. El 19/8/22 a les 9:40, Aki Tuomi ha escrit:
dovecot.conf, not ps config.
Aki
On 19/08/2022 10:38 EEST Narcis Garcia debianlists@actiu.net wrote:
What config?
I see no configuration file documented on ps manpage.
Narcis Garcia
I'm using this dedicated address because personal addresses aren't masked enough at this mail public archive. Public archive administrator should fix this against automated addresses collectors. El 19/8/22 a les 9:33, 202107-dovecot@planhack.com ha escrit:
Add
verbose_proctitle = yesto your config to get usernames and IPs in the ps listing.
NO ....
it is showing active open imap connections
fyi
Happy Friday !!! Thanks - paul
Paul Kudla
Scom.ca Internet Services http://www.scom.ca 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3
Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email paul@scom.ca
On 8/19/2022 3:40 AM, Narcis Garcia wrote:
Do you mean ps is reading dovecot.conf ?!
Narcis Garcia
I'm using this dedicated address because personal addresses aren't masked enough at this mail public archive. Public archive administrator should fix this against automated addresses collectors. El 19/8/22 a les 9:40, Aki Tuomi ha escrit:
dovecot.conf, not ps config.
Aki
On 19/08/2022 10:38 EEST Narcis Garcia debianlists@actiu.net wrote:
What config?
I see no configuration file documented on ps manpage.
Narcis Garcia
I'm using this dedicated address because personal addresses aren't masked enough at this mail public archive. Public archive administrator should fix this against automated addresses collectors. El 19/8/22 a les 9:33, 202107-dovecot@planhack.com ha escrit:
Add
verbose_proctitle = yesto your config to get usernames and IPs in the ps listing.
(after setting and restarting service)
$ cat /etc/dovecot/dovecot.conf | grep -ie 'include' !include_try /usr/share/dovecot/protocols.d/*.protocol # Most of the actual configuration gets included below. The filenames are !include conf.d/*.conf # A config file can also tried to be included without giving an error if !include_try local.conf
$ cat /etc/dovecot/local.conf | grep -ie 'proctitle' verbose_proctitle = yes
$ ps -axww | grep imap 24595 ? S 0:00 dovecot/imap 24596 ? S 0:00 dovecot/imap-login 24602 ? S 0:00 dovecot/imap 24635 pts/4 R+ 0:00 grep imap
BUT LATER, YES. Usernames and IPs appear in ps list!
Narcis Garcia
I'm using this dedicated address because personal addresses aren't masked enough at this mail public archive. Public archive administrator should fix this against automated addresses collectors. El 19/8/22 a les 9:40, Aki Tuomi ha escrit:
dovecot.conf, not ps config.
Aki
On 19/08/2022 10:38 EEST Narcis Garcia debianlists@actiu.net wrote:
What config?
I see no configuration file documented on ps manpage.
Narcis Garcia
I'm using this dedicated address because personal addresses aren't masked enough at this mail public archive. Public archive administrator should fix this against automated addresses collectors. El 19/8/22 a les 9:33, 202107-dovecot@planhack.com ha escrit:
Add
verbose_proctitle = yesto your config to get usernames and IPs in the ps listing.
Hi,
I think this i wrong. With that command you catch all _established_ connections. If I just connect to 993/143 WITHOUT auth, I will have a smtp connection open.
Il 16/08/2022 22:46, Antonio Leding ha scritto:
At the risk of being pedestrian, I just use something like |sudo netstat -an | grep ‘:[ IMAP_PORT ]’|
I’m pretty sure you thought of this but still, thought I would toss it out…
Cheers
On 16 Aug 2022, at 13:15, Jaroslaw Rafa wrote:
Hello Dovecot community, I have a question: is it possible to programmatically get from Dovecot a list of currently active IMAP sessions (with IP addresses)? Via a plugin or something? Or just check if there is an IMAP session currently open from a particular IP address, with true/false type answer? I'm planning to implement a policy service for *Postfix* that will revive the old "POP before SMTP" authorization concept (only it will be "IMAP before SMTP" this time). This policy service will reject connections to mail submission ports (465, 587) - without even going to SMTP AUTH phase - unless the connecting IP address has currently an IMAP session open to Dovecot, to mitigate SMTP AUTH attacks. But for this I need some way to check from within this policy service if the particular IP address has a connection open or not. It could be of course obtained by scanning Dovecot logs, but this involves quite a large overhead. Therefore I'm looking for the way to get this information directly from Dovecot's current state. Can you advise me of any way to do this? Or maybe someone has already written such a piece of software and it is available somewhere on the Net? -- Regards, Jaroslaw Rafa raj@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
--
############################### # Cristiano Deana # # # # Senior Network Engineer # # Digital Response Team # # CittaStudi S.p.a. # # off. +39 015 855 1172 # # cell +39 328 310 6392 # ###############################
participants (8)
-
202107-dovecot@planhack.com
-
Aki Tuomi
-
Antonio Leding
-
Cristiano Deana
-
J Doe
-
Jaroslaw Rafa
-
Narcis Garcia
-
Paul Kudla (SCOM.CA Internet Services Inc.)