Hi , I would like to save every authentication IP addresses to database, for IMAP and POP3 everything working correct but I don't know how to configure Post-login script for SMTP AUTH.
Can you help me ?
Regards, Jack
On 10/20/2017 03:46 PM, j.emerlik wrote:
Hi , I would like to save every authentication IP addresses to database, for IMAP and POP3 everything working correct but I don't know how to configure Post-login script for SMTP AUTH.
Can you help me ?
Regards, Jack
It would probably be possible to do this at the MTA. I do it in postfix + mysql. What is your setup like?
I use an access policy server which mostly does rate-limiting and also writes to a database. It's written in perl. If all you want to do is to write some records for every connection then the script would be rather simple. You just need to put "check_policy_service unix:...." in the right place, presumably in smtpd_client_restrictions, I guess if you put it before permit_sasl_authenticated it would still have the auth details, due to delayed evaluation.
Thx, seems to be a good idea. I understand that Dovecot SASL does not support the Post-Login scripts.
2017-10-20 16:36 GMT+02:00 Gedalya gedalya@gedalya.net:
I use an access policy server which mostly does rate-limiting and also writes to a database. It's written in perl. If all you want to do is to write some records for every connection then the script would be rather simple. You just need to put "check_policy_service unix:...." in the right place, presumably in smtpd_client_restrictions, I guess if you put it before permit_sasl_authenticated it would still have the auth details, due to delayed evaluation.
On 10/20/2017 04:50 PM, j.emerlik wrote:
I understand that Dovecot SASL does not support the Post-Login scripts. Yea, perhaps not. The concept it follows for POP3/IMAP is a wrapper for the executable launched to perform the actual service, and there is no such service when dovecot is only a SASL auth server for an external program.
On the other hand a postfix policy server can let you record a lot of detail about SMTP activity: messages sent, sender/recipient addresses, and client addresses of course.
I might be able to help with putting such a script together, time permitting :-)
Which one policy server are you using ? Someone from that list : http://www.postfix.org/addon.html
2017-10-20 16:53 GMT+02:00 Gedalya gedalya@gedalya.net:
On 10/20/2017 04:50 PM, j.emerlik wrote:
I understand that Dovecot SASL does not support the Post-Login scripts.
Yea, perhaps not. The concept it follows for POP3/IMAP is a wrapper for the executable launched to perform the actual service, and there is no such service when dovecot is only a SASL auth server for an external program.
On the other hand a postfix policy server can let you record a lot of detail about SMTP activity: messages sent, sender/recipient addresses, and client addresses of course.
I might be able to help with putting such a script together, time permitting :-)
No, it's entirely my own. If all you want to do is write client IP addresses to a database then your script will probably fit in 20 lines of code or so.
On 10/20/2017 05:04 PM, j.emerlik wrote:
Which one policy server are you using ? Someone from that list : http://www.postfix.org/addon.html
2017-10-20 16:53 GMT+02:00 Gedalya gedalya@gedalya.net:
On 10/20/2017 04:50 PM, j.emerlik wrote:
I understand that Dovecot SASL does not support the Post-Login scripts. Yea, perhaps not. The concept it follows for POP3/IMAP is a wrapper for the executable launched to perform the actual service, and there is no such service when dovecot is only a SASL auth server for an external program.
On the other hand a postfix policy server can let you record a lot of detail about SMTP activity: messages sent, sender/recipient addresses, and client addresses of course.
I might be able to help with putting such a script together, time permitting :-)
Dovecot auth supports auth_policy_server (v2.2.27+, https://wiki.dovecot.org/Authentication/Policy), which you could use for this. There is also https://github.com/PowerDNS/weakforced you can use as policy server, which can also do ratelimiting and such. It also integrates with postfix.
Aki
On October 20, 2017 at 6:12 PM Gedalya gedalya@gedalya.net wrote:
No, it's entirely my own. If all you want to do is write client IP addresses to a database then your script will probably fit in 20 lines of code or so.
On 10/20/2017 05:04 PM, j.emerlik wrote:
Which one policy server are you using ? Someone from that list : http://www.postfix.org/addon.html
2017-10-20 16:53 GMT+02:00 Gedalya gedalya@gedalya.net:
On 10/20/2017 04:50 PM, j.emerlik wrote:
I understand that Dovecot SASL does not support the Post-Login scripts. Yea, perhaps not. The concept it follows for POP3/IMAP is a wrapper for the executable launched to perform the actual service, and there is no such service when dovecot is only a SASL auth server for an external program.
On the other hand a postfix policy server can let you record a lot of detail about SMTP activity: messages sent, sender/recipient addresses, and client addresses of course.
I might be able to help with putting such a script together, time permitting :-)
Aha. Looks pretty cool, and it's really nice that it supports HTTP. On the other hand if I'm rate limiting the number of messages sent = number of times a client said RCPT TO, I guess it still has to be a postfix policy server? Anyway, thanks for pointing this out, I'm sure I'll use it :-)
On 10/21/2017 02:16 PM, Aki Tuomi wrote:
Dovecot auth supports auth_policy_server (v2.2.27+, https://wiki.dovecot.org/Authentication/Policy), which you could use for this. There is also https://github.com/PowerDNS/weakforced you can use as policy server, which can also do ratelimiting and such. It also integrates with postfix.
Aki
On October 20, 2017 at 6:12 PM Gedalya gedalya@gedalya.net wrote:
No, it's entirely my own. If all you want to do is write client IP addresses to a database then your script will probably fit in 20 lines of code or so.
On 10/20/2017 05:04 PM, j.emerlik wrote:
Which one policy server are you using ? Someone from that list : http://www.postfix.org/addon.html
2017-10-20 16:53 GMT+02:00 Gedalya gedalya@gedalya.net:
On 10/20/2017 04:50 PM, j.emerlik wrote:
I understand that Dovecot SASL does not support the Post-Login scripts. Yea, perhaps not. The concept it follows for POP3/IMAP is a wrapper for the executable launched to perform the actual service, and there is no such service when dovecot is only a SASL auth server for an external program.
On the other hand a postfix policy server can let you record a lot of detail about SMTP activity: messages sent, sender/recipient addresses, and client addresses of course.
I might be able to help with putting such a script together, time permitting :-)
Thx for every suggestions. Regards Jack
Sent from my mobile device please excuse.
21.10.2017 3:45 PM "Gedalya" gedalya@gedalya.net napisaĆ(a):
Aha. Looks pretty cool, and it's really nice that it supports HTTP. On the other hand if I'm rate limiting the number of messages sent = number of times a client said RCPT TO, I guess it still has to be a postfix policy server? Anyway, thanks for pointing this out, I'm sure I'll use it :-)
Dovecot auth supports auth_policy_server (v2.2.27+, https://wiki.dovecot.org/Authentication/Policy), which you could use for
On 10/21/2017 02:16 PM, Aki Tuomi wrote: this. There is also https://github.com/PowerDNS/weakforced you can use as policy server, which can also do ratelimiting and such. It also integrates with postfix.
Aki
On October 20, 2017 at 6:12 PM Gedalya gedalya@gedalya.net wrote:
No, it's entirely my own. If all you want to do is write client IP addresses to a database then
On 10/20/2017 05:04 PM, j.emerlik wrote:
Which one policy server are you using ? Someone from that list : http://www.postfix.org/addon.html
2017-10-20 16:53 GMT+02:00 Gedalya gedalya@gedalya.net:
On 10/20/2017 04:50 PM, j.emerlik wrote:
I understand that Dovecot SASL does not support the Post-Login
Yea, perhaps not. The concept it follows for POP3/IMAP is a wrapper for the executable launched to perform the actual service, and there is no such service when dovecot is only a SASL auth server for an external
your script will probably fit in 20 lines of code or so. scripts. program.
On the other hand a postfix policy server can let you record a lot of detail about SMTP activity: messages sent, sender/recipient
addresses, and
client addresses of course.
I might be able to help with putting such a script together, time permitting :-)
In data sabato 21 ottobre 2017 15:44:52 CEST, Gedalya ha scritto:
Aha. Looks pretty cool, and it's really nice that it supports HTTP. On the other hand if I'm rate limiting the number of messages sent = number of times a client said RCPT TO, I guess it still has to be a postfix policy server? Anyway, thanks for pointing this out, I'm sure I'll use it :-)
Very interesting indeed; now I'm using a post-login script to track the IP of the clients, but I'll evalutate the policy as it seems cleaner.
For a simple policy server to use with postfix, you can check out my simple daemon:
https://github.com/SimoneLazzaris/polka
It's written in go, very simple, efficient but effective. We're using in production with zero issues.
*Simone Lazzaris* *Qcom S.p.A.* simone.lazzaris@qcom.it[1] | www.qcom.it[2]
- LinkedIn[3]* | *Facebook[4]* [5]
[1] mailto:simone.lazzaris@qcom.it [2] https://www.qcom.it [3] https://www.linkedin.com/company/qcom-spa [4] http://www.facebook.com/qcomspa [5] https://www.qcom.it/includes/email-banner.gif
Op 20-10-2017 om 15:46 schreef j.emerlik:
Hi , I would like to save every authentication IP addresses to database, for IMAP and POP3 everything working correct but I don't know how to configure Post-login script for SMTP AUTH.
Can you help me ?
Regards, Jack
This is how I log te last time someone logged in:
service imap { . . . executable = imap imap-postlogin }
service imap-postlogin { executable = script-login /usr/local/bin/imap-wrapper.sh user = vmail unix_listener imap-postlogin { } }
And for pop3 users:
service pop3 { . . . executable = pop3 pop3-postlogin }
service pop3-postlogin { executable = script-login /usr/local/bin/pop3-wrapper.sh user = vmail unix_listener pop3-postlogin { } }
Where imap_wrapper.sh is: #! /bin/sh touch /disk/mail/login/imap/$USER touch /disk/mail/login/$USER exec "$@"
And for pop3_wrapper.sh: #! /bin/sh touch /disk/mail/login/pop3/$USER touch /disk/mail/login/$USER exec "$@"
This gives me empty files in <path>/login, /login/imap and /login/pop3 with the username as filename. The timestamp of the filwe is the lat login time.
HTH Egbert Jan, NL
participants (5)
-
Aki Tuomi
-
Egbert
-
Gedalya
-
j.emerlik
-
Simone Lazzaris