auth_policy_server vs client_id and x-originating-ip
I run into troubles when trying to set up auth_policy_server in Dovecot 2.3.10.1. It works almost as expected but I cannot get client ID in this process.
By setting up "imap_id_log=*" I see in log that Dovecot gets details about mail client like name and version:
May 31 14:20:58 mail dovecot: imap(xxx@example.xxx)<24796><ft7ytfCmjdZWMSZQ>: ID sent: name=Thunderbird, version=68.8.1
But the auth_policy_server is getting all details except this ID, it's empty:
May 31 14:20:58 mail auth-policy[10357]: { May 31 14:20:58 mail auth-policy[10357]: device_id: '', May 31 14:20:58 mail auth-policy[10357]: login: 'xxx@example.xxx', May 31 14:20:58 mail auth-policy[10357]: protocol: 'imap', May 31 14:20:58 mail auth-policy[10357]: pwhash: '097a', May 31 14:20:58 mail auth-policy[10357]: remote: '1.2.3.4', May 31 14:20:58 mail auth-policy[10357]: tls: true May 31 14:20:58 mail auth-policy[10357]: }
However in some cases I see that client_id is passed to auth_policy_server:
May 31 14:27:41 mail auth-policy[10357]: { May 31 14:27:41 mail auth-policy[10357]: device_id: '"name" "Outlook-iOS-Android" "version" "2.0"', May 31 14:27:41 mail auth-policy[10357]: login: 'yyy@example.xxx', May 31 14:27:41 mail auth-policy[10357]: protocol: 'imap', May 31 14:27:41 mail auth-policy[10357]: pwhash: '0b63', May 31 14:27:41 mail auth-policy[10357]: remote: '3.4.5.6', May 31 14:27:41 mail auth-policy[10357]: tls: true May 31 14:27:41 mail auth-policy[10357]: }
I think I am missing some important point. Maybe IMAP command ID and client_id are totally different. Can you please advise? Is it possible to pass details about mail client to auth_policy_server? Second question is: how I can get "x-originating-ip" from ID command to auth_policy_server?
Below is my config file:
# 2.3.10.1 (a3d0e1171): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.10 (67bf5bd7) # OS: Linux 5.3.18-2-pve x86_64 Debian 10.4 # Hostname: mail.z-technics.com auth_cache_size = 2 M auth_cache_ttl = 5 mins auth_master_user_separator = * auth_mechanisms = plain login auth_policy_check_before_auth = no auth_policy_hash_nonce = # hidden, use -P to show it auth_policy_report_after_auth = no auth_policy_server_timeout_msecs = 1500 auth_policy_server_url = http://127.0.0.1:8090/ dict { acl = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext quota = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext } disable_plaintext_auth = no imap_client_workarounds = delay-newmail imap_hibernate_timeout = 5 secs imap_id_log = * imap_id_retain = yes login_trusted_networks = 127.0.0.1 mail_gid = 2000 mail_home = /var/vmail/%d/%n mail_location = mdbox:~/mdbox:ALT=/var/vmail-archive/%d/%n/mdbox mail_max_userip_connections = 60 mail_plugins = acl zlib fts quota mail_uid = 2000 managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext vacation-seconds editheader imapsieve vnd.dovecot.imapsieve mdbox_rotate_interval = 1 days mdbox_rotate_size = 16 M
passdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } passdb { args = /etc/dovecot/masters.db driver = passwd-file master = yes pass = yes } plugin { acl = vfile acl_shared_dict = proxy::acl imapsieve_mailbox1_before = file:/var/vmail/sieve/report-spam.sieve imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Spam imapsieve_mailbox2_before = file:/var/vmail/sieve/report-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Spam imapsieve_mailbox2_name = * imapsieve_mailbox3_before = file:/var/vmail/sieve/report-spam.sieve imapsieve_mailbox3_causes = COPY imapsieve_mailbox3_name = Junk imapsieve_mailbox4_before = file:/var/vmail/sieve/report-ham.sieve imapsieve_mailbox4_causes = COPY imapsieve_mailbox4_from = Junk imapsieve_mailbox4_name = * mailbox_alias_new = Sent Messages mailbox_alias_new2 = Sent Items mailbox_alias_new3 = Deleted Items mailbox_alias_old = Sent mailbox_alias_old2 = Sent mailbox_alias_old3 = Trash quota = dict:User quota::proxy::quota quota_grace = 10%% quota_rule2 = Trash:ignore quota_rule3 = Junk:ignore quota_warning = storage=80%% quota-warning 90 %u quota_warning2 = storage=85%% quota-warning 95 %u quota_warning3 = storage=95%% quota-warning 105 %u sieve = /var/vmail/%d/%n/sieve/.sieve sieve_after = /var/vmail/%d/%n/sieve/autoreply.sieve sieve_before = /var/vmail/sieve/global.sieve sieve_dir = /var/vmail/%d/%n/sieve sieve_extensions = +editheader +vacation-seconds sieve_global_dir = /var/vmail/sieve/ sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment sieve_max_redirects = 20 sieve_pipe_bin_dir = /usr/lib/dovecot sieve_plugins = sieve_imapsieve sieve_extprograms sieve_vacation_send_from_recipient = yes } protocols = imap sieve lmtp pop3 service auth-worker { unix_listener auth-worker { user = vmail } user = $default_internal_user } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { mode = 0600 user = vmail } user = vmail } service dict { unix_listener dict { mode = 0600 user = vmail } } service imap-hibernate { unix_listener imap-hibernate { group = $default_internal_group mode = 0660 } } service imap-login { process_min_avail = 10 service_count = 0 vsz_limit = 512 M } service imap { executable = imap process_limit = 3500 unix_listener imap-master { user = $default_internal_user } vsz_limit = 2 G } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { port = 4190 } process_min_avail = 0 service_count = 1 vsz_limit = 64 M } service managesieve { process_limit = 400 } service pop3-login { process_min_avail = 3 service_count = 0 vsz_limit = 320 M } service pop3 { process_limit = 200 vsz_limit = 320 M } service quota-warning { executable = script /etc/dovecot/quota_warning.sh unix_listener quota-warning { mode = 0666 user = vmail } user = vmail } ssl_cert = </etc/ssl/private/multi.z-technics.cz.dovecot.pem ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it stats_writer_socket_path = userdb { args = /etc/dovecot/dovecot-ldap.conf driver = ldap } protocol sieve { managesieve_implementation_string = Dovecot Pigeonhole managesieve_max_compile_errors = 5 } protocol imap { mail_plugins = quota imap_quota fts mailbox_alias imap_acl acl imap_zlib imap_sieve } protocol lda { mail_fsync = optimized } protocol lmtp { mail_fsync = optimized mail_plugins = quota sieve acl }
On 31. May 2020, at 15.47, Zdeněk Zámečník <diego@dixy.cz> wrote:
I run into troubles when trying to set up auth_policy_server in Dovecot 2.3.10.1. It works almost as expected but I cannot get client ID in this process.
By setting up "imap_id_log=*" I see in log that Dovecot gets details about mail client like name and version:
May 31 14:20:58 mail dovecot: imap(xxx@example.xxx)<24796><ft7ytfCmjdZWMSZQ>: ID sent: name=Thunderbird, version=68.8.1
But the auth_policy_server is getting all details except this ID, it's empty:
May 31 14:20:58 mail auth-policy[10357]: { May 31 14:20:58 mail auth-policy[10357]: device_id: '', May 31 14:20:58 mail auth-policy[10357]: login: 'xxx@example.xxx', May 31 14:20:58 mail auth-policy[10357]: protocol: 'imap', May 31 14:20:58 mail auth-policy[10357]: pwhash: '097a', May 31 14:20:58 mail auth-policy[10357]: remote: '1.2.3.4', May 31 14:20:58 mail auth-policy[10357]: tls: true May 31 14:20:58 mail auth-policy[10357]: }
However in some cases I see that client_id is passed to auth_policy_server:
May 31 14:27:41 mail auth-policy[10357]: { May 31 14:27:41 mail auth-policy[10357]: device_id: '"name" "Outlook-iOS-Android" "version" "2.0"', May 31 14:27:41 mail auth-policy[10357]: login: 'yyy@example.xxx', May 31 14:27:41 mail auth-policy[10357]: protocol: 'imap', May 31 14:27:41 mail auth-policy[10357]: pwhash: '0b63', May 31 14:27:41 mail auth-policy[10357]: remote: '3.4.5.6', May 31 14:27:41 mail auth-policy[10357]: tls: true May 31 14:27:41 mail auth-policy[10357]: }
This completely depends on the imap client. Some clients send IMAP ID pre-login and in that case it can be relayed to auth policy server. Some clients send IMAP ID post-login and then auth policy stuff is already completed without the information.
Sami
participants (2)
-
Sami Ketola
-
Zdeněk Zámečník