[Dovecot] Logging and libwrap
Hi,
A few things regarding logging and libwrap..
a) PAM_RHOST patch Back in July, dean gaudet helpfully posted a patch to dovecot PAM_RHOST the remote IP. Is this going to be included in the main dovecot tree? It seems like a worthwhile addition. The more informative and concise the logging the better.
See http://www.dovecot.org/list/dovecot/2004-July/004011.html for the original message.
b) Better logging Is it possible to get logging of when a client connects and disconnects? I'm very used to seeing this information and it's very useful for debugging user sessions. It's frustrating not being able to easily tell whether a user has opened a connection.
Really many of the log messages could be more verbose. For instance, on disconnect, I see imap-login: Disconnected [ip.here] but the username they were logged in as isn't included. It would be nice to have that rather than having to dig back for a login message with the same IP. Heck, even the pid isn't logged. That would be nice too.
c) libwrap Any chance of getting libwrap support built into dovecot?
Right now I'm running dovecot out of xinetd, so that I can see when tcp connections are opened, and take advantage of tcpwrappers. But this causes the problem that dovecot thinks all connections come from the local host. Correlating logins to IPs gets to be a lot of hassle, with the information divided over so many lines, while needing multiple ways to track which messages from xinetd, dovecot and pam match each other.
With some of the minor logging changes (more info on one line, notification of tcp connections), plus libwrap, it'd be much simpler and much more informative. :)
Thanks for the great imap server. Just thinking of some improvements. :)
Jesse <j@lumiere.net>
On 29.10.2004, at 15:38, Jesse wrote:
a) PAM_RHOST patch Back in July, dean gaudet helpfully posted a patch to dovecot PAM_RHOST the remote IP. Is this going to be included in the main dovecot tree? It seems like a worthwhile addition. The more informative and concise the logging the better.
This feature is already in 1.0-tests, and I don't really want to release any more 0.99.x releases unless really needed.
b) Better logging Is it possible to get logging of when a client connects and disconnects? I'm very used to seeing this information and it's very useful for debugging user sessions. It's frustrating not being able to easily tell whether a user has opened a connection.
Really many of the log messages could be more verbose. For instance, on disconnect, I see imap-login: Disconnected [ip.here] but the username they were logged in as isn't included. It would be nice to have that rather than having to dig back for a login message with the same IP. Heck, even the pid isn't logged. That would be nice too.
With 1.0-tests auth_verbose = yes gives better logging and allows you to log PID for each line.
The "Disconnected" line is written only when a user connected, but didn't log in. There is no logout-line after a successful login.
Anyway, better and more configurable logging is planned..
c) libwrap Any chance of getting libwrap support built into dovecot?
I had thought about that before, but haven't bothered to implement it yet.
Right now I'm running dovecot out of xinetd, so that I can see when tcp connections are opened, and take advantage of tcpwrappers. But this causes the problem that dovecot thinks all connections come from the local host. Correlating logins to IPs gets to be a lot of hassle, with the information divided over so many lines, while needing multiple ways to track which messages from xinetd, dovecot and pam match each other.
Hmm. Why does it do that? I thought the real socket was passed to Dovecot, so the remote address would be correct. Unless you're doing some kind of proxying in the middle?
On Mon, 1 Nov 2004, Timo Sirainen wrote:
a) PAM_RHOST patch
This feature is already in 1.0-tests, and I don't really want to release any more 0.99.x releases unless really needed.
No problem here if it's in a future version. I applied the patch on my own copy already.
b) Better logging
With 1.0-tests auth_verbose = yes gives better logging and allows you to log PID for each line.
The "Disconnected" line is written only when a user connected, but didn't log in. There is no logout-line after a successful login.
Anyway, better and more configurable logging is planned..
Glad to hear, guess I'll have to wait for 1.0!
c) libwrap Any chance of getting libwrap support built into dovecot?
I had thought about that before, but haven't bothered to implement it yet.
I think it would be very useful, as tcp_wrappers tends to be more portable than specific firewall implementations.
From what I can tell from looking at other patches, adding libwrap support is typically a matter of only 1-5 lines.
I tried patching dovecot myself but my understanding of the internals of dovecot is weak and I wasn't successful.
Right now I'm running dovecot out of xinetd, so that I can see when tcp connections are opened, and take advantage of tcpwrappers. But this causes the problem that dovecot thinks all connections come from the local host.
Hmm. Why does it do that? I thought the real socket was passed to Dovecot, so the remote address would be correct. Unless you're doing some kind of proxying in the middle?
I'm not doing anything special. Just a standard xinetd config, server = /usr/libexec/dovecot/imap-login, server_args = --ssl. But that's what I get in my local results -- the IP of the local host's ethernet interface.
Jesse <j@lumiere.net>
participants (2)
-
Jesse
-
Timo Sirainen