last_login plugin and $remote_ip
Good morning. I am planning a dovecot system with:
- 3 x glusterfs servers (with 2 volumes, 1 ssd for short term mail, and 1 with bigger hdd for long term archive mail)
- 1 x mysql server (another server with active replica will be added)
- 3 x mbox servers (with dovecot pop/imap/lmpt/sieve/postfix)
- 3 x dovecot proxy/directors for pop3/imap/smtp
- 4 x proxmox mail gateway for antispam/antivirus in front of smtp servers
- 1 x centralized syslog server
All have private ip addresses, and in front there is a firewall with HA_proxy to make high availability and load balancing.
My only problem now is using last_login plugin; i have configured on the mailbox servers on pop3/imap, but the ip address that is written on mysql is the proxy/director address, not the real client ip address. No results using real_remote_ip.
Apr 19 09:14:31 mailbox-01 dovecot: pop3-login: Login: user=<username@domain.it>, method=PLAIN, rip=172.16.27.31, lip=172.16.27.21, mpid=19723, session=<42nHLKv5JsqsEBsf> Apr 19 09:14:31 mailproxy-01 dovecot: pop3-login: proxy(username@domain.it,172.16.27.21:110): Started proxying to 172.16.27.21 (1.978 secs): user=<username@domain.it>, method=PLAIN, rip=212.66.96.188, lip=172.16.27.31, session=<u4+wLKv5ZUjUQmC8> Apr 19 09:14:34 mailbox-01 dovecot: pop3(username@domain.it)<19723><42nHLKv5JsqsEBsf>: Disconnected: Logged out top=0/0, retr=0/0, del=0/37, size=115779706 Apr 19 09:14:34 mailproxy-01 dovecot: pop3-login: proxy(username@domain.it,172.16.27.21:110): Disconnected by server (0s idle, in=45, out=82): user=<username@domain.it>, method=PLAIN, rip=212.66.96.188, lip=172.16.27.31, session=<u4+wLKv5ZUjUQmC8>
in db I have last_ip: 172.16.27.31, not 212.66.96.188
dovecot -n # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.16 (09c29328) # OS: Linux 5.15.0-69-generic x86_64 Ubuntu 22.04.2 LTS # Hostname: mailbox-01 auth_default_realm = XXXXXXXX.it default_client_limit = 2500 dict { mysql = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext sieve = mysql:/etc/dovecot/dict-sieve-sql.conf sql = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext } disable_plaintext_auth = no doveadm_api_key = # hidden, use -P to show it first_valid_gid = 89 first_valid_uid = 89 imap_client_workarounds = tb-extra-mailbox-sep delay-newmail login_greeting = Welcome to mail server mail_fsync = always mail_gid = 89 mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_plugins = quota mail_privileged_group = mail mail_uid = 89 mailbox_list_index_very_dirty_syncs = yes mdbox_rotate_size = 128 M mmap_disable = yes namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = . } passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { last_login_dict = proxy::sql last_login_key = # hidden, use -P to show it last_login_precision = ms quota = count:User quota quota_clone_dict = proxy::mysql quota_grace = 50M quota_rule2 = Trash:storage=+100M quota_vsizes = yes quota_warning = storage=95%% quota-warning 95 %u quota_warning2 = storage=80%% quota-warning 80 %u sieve = dict:proxy::sieve;name=active sieve_extensions = +vacation-seconds sieve_vacation_default_period = 7d sieve_vacation_max_period = 30d sieve_vacation_min_period = 1h } pop3_client_workarounds = outlook-no-nuls oe-ns-eoh protocols = " imap lmtp pop3" service dict { unix_listener dict { group = mail2023 mode = 0660 user = mail2023 } } service doveadm { inet_listener { port = 2425 } inet_listener http { port = 8080 } unix_listener doveadm-server { user = mail2023 } } service imap { process_limit = 1024 } service lmtp { inet_listener lmtp { port = 24 } unix_listener /var/spool/postfix/private/dovecot-lmtp { group = mail2023 mode = 0666 user = mail2023 } } service pop3 { process_limit = 250 } service quota-warning { executable = script /usr/local/bin/quota-warning.sh unix_listener quota-warning { mode = 0666 user = mail2023 } user = mail2023 } service stats { unix_listener stats-reader { group = mail2023 mode = 0660 user = mail2023 } unix_listener stats-writer { group = mail2023 mode = 0660 user = mail2023 } } ssl_cert = </etc/dovecot/private/dovecot.pem ssl_client_ca_dir = /etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it userdb { driver = passwd } userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocol lmtp { mail_plugins = quota sieve quota quota_clone } protocol !indexer-worker { mail_vsize_bg_after_count = 100 } protocol lda { mail_plugins = quota sieve quota quota_clone } protocol imap { mail_max_userip_connections = 10 mail_plugins = quota quota imap_quota quota_clone last_login } protocol pop3 { mail_max_userip_connections = 2 mail_plugins = quota quota quota_clone last_login }
in dovecot-dict-sql.conf.ext there is:
map { pattern = shared/last-login/$service/$user/$remote_ip table = mail_last_login value_field = last_access value_type = uint
fields { userid = $user service = $service last_ip = $remote_ip } }
--
Fabrizio Cuseo - mailto:f.cuseo@panservice.it
Ciao Fabrizio,
set login_trusted_networks to point to the proxies in the backends. This way you’ll get the clients’ actual IP addresses logged instead of the proxy’s.
https://doc.dovecot.org/settings/core/#core_setting-login_trusted_networks
Il 19/04/23 09:18, Fabrizio Cuseo ha scritto:
Good morning. I am planning a dovecot system with:
- 3 x glusterfs servers (with 2 volumes, 1 ssd for short term mail, and 1 with bigger hdd for long term archive mail)
- 1 x mysql server (another server with active replica will be added)
- 3 x mbox servers (with dovecot pop/imap/lmpt/sieve/postfix)
- 3 x dovecot proxy/directors for pop3/imap/smtp
- 4 x proxmox mail gateway for antispam/antivirus in front of smtp servers
- 1 x centralized syslog server
All have private ip addresses, and in front there is a firewall with HA_proxy to make high availability and load balancing.
My only problem now is using last_login plugin; i have configured on the mailbox servers on pop3/imap, but the ip address that is written on mysql is the proxy/director address, not the real client ip address. No results using real_remote_ip.
Apr 19 09:14:31 mailbox-01 dovecot: pop3-login: Login: user=<username@domain.it>, method=PLAIN, rip=172.16.27.31, lip=172.16.27.21, mpid=19723, session=<42nHLKv5JsqsEBsf> Apr 19 09:14:31 mailproxy-01 dovecot: pop3-login: proxy(username@domain.it,172.16.27.21:110): Started proxying to 172.16.27.21 (1.978 secs): user=<username@domain.it>, method=PLAIN, rip=212.66.96.188, lip=172.16.27.31, session=<u4+wLKv5ZUjUQmC8> Apr 19 09:14:34 mailbox-01 dovecot: pop3(username@domain.it)<19723><42nHLKv5JsqsEBsf>: Disconnected: Logged out top=0/0, retr=0/0, del=0/37, size=115779706 Apr 19 09:14:34 mailproxy-01 dovecot: pop3-login: proxy(username@domain.it,172.16.27.21:110): Disconnected by server (0s idle, in=45, out=82): user=<username@domain.it>, method=PLAIN, rip=212.66.96.188, lip=172.16.27.31, session=<u4+wLKv5ZUjUQmC8>
in db I have last_ip: 172.16.27.31, not 212.66.96.188
dovecot -n # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.16 (09c29328) # OS: Linux 5.15.0-69-generic x86_64 Ubuntu 22.04.2 LTS # Hostname: mailbox-01 auth_default_realm = XXXXXXXX.it default_client_limit = 2500 dict { mysql = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext sieve = mysql:/etc/dovecot/dict-sieve-sql.conf sql = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext } disable_plaintext_auth = no doveadm_api_key = # hidden, use -P to show it first_valid_gid = 89 first_valid_uid = 89 imap_client_workarounds = tb-extra-mailbox-sep delay-newmail login_greeting = Welcome to mail server mail_fsync = always mail_gid = 89 mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_plugins = quota mail_privileged_group = mail mail_uid = 89 mailbox_list_index_very_dirty_syncs = yes mdbox_rotate_size = 128 M mmap_disable = yes namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = . } passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { last_login_dict = proxy::sql last_login_key = # hidden, use -P to show it last_login_precision = ms quota = count:User quota quota_clone_dict = proxy::mysql quota_grace = 50M quota_rule2 = Trash:storage=+100M quota_vsizes = yes quota_warning = storage=95%% quota-warning 95 %u quota_warning2 = storage=80%% quota-warning 80 %u sieve = dict:proxy::sieve;name=active sieve_extensions = +vacation-seconds sieve_vacation_default_period = 7d sieve_vacation_max_period = 30d sieve_vacation_min_period = 1h } pop3_client_workarounds = outlook-no-nuls oe-ns-eoh protocols = " imap lmtp pop3" service dict { unix_listener dict { group = mail2023 mode = 0660 user = mail2023 } } service doveadm { inet_listener { port = 2425 } inet_listener http { port = 8080 } unix_listener doveadm-server { user = mail2023 } } service imap { process_limit = 1024 } service lmtp { inet_listener lmtp { port = 24 } unix_listener /var/spool/postfix/private/dovecot-lmtp { group = mail2023 mode = 0666 user = mail2023 } } service pop3 { process_limit = 250 } service quota-warning { executable = script /usr/local/bin/quota-warning.sh unix_listener quota-warning { mode = 0666 user = mail2023 } user = mail2023 } service stats { unix_listener stats-reader { group = mail2023 mode = 0660 user = mail2023 } unix_listener stats-writer { group = mail2023 mode = 0660 user = mail2023 } } ssl_cert = </etc/dovecot/private/dovecot.pem ssl_client_ca_dir = /etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it userdb { driver = passwd } userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocol lmtp { mail_plugins = quota sieve quota quota_clone } protocol !indexer-worker { mail_vsize_bg_after_count = 100 } protocol lda { mail_plugins = quota sieve quota quota_clone } protocol imap { mail_max_userip_connections = 10 mail_plugins = quota quota imap_quota quota_clone last_login } protocol pop3 { mail_max_userip_connections = 2 mail_plugins = quota quota quota_clone last_login }
in dovecot-dict-sql.conf.ext there is:
map { pattern = shared/last-login/$service/$user/$remote_ip table = mail_last_login value_field = last_access value_type = uint
fields { userid = $user service = $service last_ip = $remote_ip } }
-- Alessio Cecchi Postmaster @http://www.qboxmail.it https://www.linkedin.com/in/alessice
Ops, thank you.. you are right. I had the setting in my test plant servers, but I have not configured it in productions servers:)
----- Il 19-apr-23, alle 11:01, Alessio Cecchi via dovecot <dovecot@dovecot.org> ha scritto:
Ciao Fabrizio,
set login_trusted_networks to point to the proxies in the backends. This way you’ll get the clients’ actual IP addresses logged instead of the proxy’s.
[ https://doc.dovecot.org/settings/core/#core_setting-login_trusted_networks | https://doc.dovecot.org/settings/core/#core_setting-login_trusted_networks ] Il 19/04/23 09:18, Fabrizio Cuseo ha scritto:
Good morning. I am planning a dovecot system with:
- 3 x glusterfs servers (with 2 volumes, 1 ssd for short term mail, and 1 with bigger hdd for long term archive mail)
- 1 x mysql server (another server with active replica will be added)
- 3 x mbox servers (with dovecot pop/imap/lmpt/sieve/postfix)
- 3 x dovecot proxy/directors for pop3/imap/smtp
- 4 x proxmox mail gateway for antispam/antivirus in front of smtp servers
- 1 x centralized syslog server
All have private ip addresses, and in front there is a firewall with HA_proxy to make high availability and load balancing.
My only problem now is using last_login plugin; i have configured on the mailbox servers on pop3/imap, but the ip address that is written on mysql is the proxy/director address, not the real client ip address. No results using real_remote_ip.
Apr 19 09:14:31 mailbox-01 dovecot: pop3-login: Login: user= [ mailto:username@domain.it | <username@domain.it> ] , method=PLAIN, rip=172.16.27.31, lip=172.16.27.21, mpid=19723, session=<42nHLKv5JsqsEBsf> Apr 19 09:14:31 mailproxy-01 dovecot: pop3-login: proxy( [ mailto:username@domain.it,172.16.27.21:110 | username@domain.it,172.16.27.21:110 ] ): Started proxying to 172.16.27.21 (1.978 secs): user= [ mailto:username@domain.it | <username@domain.it> ] , method=PLAIN, rip=212.66.96.188, lip=172.16.27.31, session=<u4+wLKv5ZUjUQmC8> Apr 19 09:14:34 mailbox-01 dovecot: pop3( [ mailto:username@domain.it | username@domain.it ] )<19723><42nHLKv5JsqsEBsf>: Disconnected: Logged out top=0/0, retr=0/0, del=0/37, size=115779706 Apr 19 09:14:34 mailproxy-01 dovecot: pop3-login: proxy( [ mailto:username@domain.it,172.16.27.21:110 | username@domain.it,172.16.27.21:110 ] ): Disconnected by server (0s idle, in=45, out=82): user= [ mailto:username@domain.it | <username@domain.it> ] , method=PLAIN, rip=212.66.96.188, lip=172.16.27.31, session=<u4+wLKv5ZUjUQmC8>
in db I have last_ip: 172.16.27.31, not 212.66.96.188
dovecot -n # 2.3.16 (7e2e900c1a): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.16 (09c29328) # OS: Linux 5.15.0-69-generic x86_64 Ubuntu 22.04.2 LTS # Hostname: mailbox-01 auth_default_realm = XXXXXXXX.it default_client_limit = 2500 dict { mysql = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext sieve = mysql:/etc/dovecot/dict-sieve-sql.conf sql = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext } disable_plaintext_auth = no doveadm_api_key = # hidden, use -P to show it first_valid_gid = 89 first_valid_uid = 89 imap_client_workarounds = tb-extra-mailbox-sep delay-newmail login_greeting = Welcome to mail server mail_fsync = always mail_gid = 89 mail_location = mbox:~/mail:INBOX=/var/mail/%u mail_plugins = quota mail_privileged_group = mail mail_uid = 89 mailbox_list_index_very_dirty_syncs = yes mdbox_rotate_size = 128 M mmap_disable = yes namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = separator = . } passdb { driver = pam } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { last_login_dict = proxy::sql last_login_key = # hidden, use -P to show it last_login_precision = ms quota = count:User quota quota_clone_dict = proxy::mysql quota_grace = 50M quota_rule2 = Trash:storage=+100M quota_vsizes = yes quota_warning = storage=95%% quota-warning 95 %u quota_warning2 = storage=80%% quota-warning 80 %u sieve = dict:proxy::sieve;name=active sieve_extensions = +vacation-seconds sieve_vacation_default_period = 7d sieve_vacation_max_period = 30d sieve_vacation_min_period = 1h } pop3_client_workarounds = outlook-no-nuls oe-ns-eoh protocols = " imap lmtp pop3" service dict { unix_listener dict { group = mail2023 mode = 0660 user = mail2023 } } service doveadm { inet_listener { port = 2425 } inet_listener http { port = 8080 } unix_listener doveadm-server { user = mail2023 } } service imap { process_limit = 1024 } service lmtp { inet_listener lmtp { port = 24 } unix_listener /var/spool/postfix/private/dovecot-lmtp { group = mail2023 mode = 0666 user = mail2023 } } service pop3 { process_limit = 250 } service quota-warning { executable = script /usr/local/bin/quota-warning.sh unix_listener quota-warning { mode = 0666 user = mail2023 } user = mail2023 } service stats { unix_listener stats-reader { group = mail2023 mode = 0660 user = mail2023 } unix_listener stats-writer { group = mail2023 mode = 0660 user = mail2023 } } ssl_cert = </etc/dovecot/private/dovecot.pem ssl_client_ca_dir = /etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it userdb { driver = passwd } userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocol lmtp { mail_plugins = quota sieve quota quota_clone } protocol !indexer-worker { mail_vsize_bg_after_count = 100 } protocol lda { mail_plugins = quota sieve quota quota_clone } protocol imap { mail_max_userip_connections = 10 mail_plugins = quota quota imap_quota quota_clone last_login } protocol pop3 { mail_max_userip_connections = 2 mail_plugins = quota quota quota_clone last_login }
in dovecot-dict-sql.conf.ext there is:
map { pattern = shared/last-login/$service/$user/$remote_ip table = mail_last_login value_field = last_access value_type = uint
fields { userid = $user service = $service last_ip = $remote_ip } }
-- Alessio Cecchi Postmaster @ [ http://www.qboxmail.it/ | http://www.qboxmail.it ] [ https://www.linkedin.com/in/alessice | https://www.linkedin.com/in/alessice ]
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
--
Fabrizio Cuseo - mailto:f.cuseo@panservice.it Direzione Generale - Panservice InterNetWorking Servizi Professionali per Internet ed il Networking Panservice e' associata AIIP - RIPE Local Registry Phone: +39 0773 410020 - Fax: +39 0773 470219 http://www.panservice.it mailto:info@panservice.it Numero verde nazionale: 800 901492
participants (2)
-
Alessio Cecchi
-
Fabrizio Cuseo