[Dovecot] mail_log_events, but who exactly triggered events?

Thu Jan 30 13:45:57 EET 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 30 Jan 2014, Reindl Harald wrote:

> Am 30.01.2014 12:04, schrieb Arkadiusz Miśkiewicz:
>> On Thursday 30 of January 2014, Reindl Harald wrote:
>>> Am 30.01.2014 10:50, schrieb Arkadiusz Miśkiewicz:
>>>> mail_log_events is nice addition but how to log who exactly triggered
>>>> particular event? For example 5 users from 5 IP addresses uses single
>>>> imap user/mailbox.
>>>>
>>>> One of them deletes email and I'm logging delete related events. The only
>>>> logged thing is:
>>>>
>>>> dovecot: imap(user): delete: box=INBOX, uid=673287, msgid=<some at thing>,
>>>> size=1230
>>>>
>>>> which tells me nothing about who triggered it actually (note all 5 users
>>>> were logged in at deletion time)
>>>>
>>>> How to solve this problem?
>>>
>>> do not share user-logins
>>
>> I'm not sharing. Customers are.
>>
>>> don't do that for any service, not only mail
>>
>> That impossible to make.
>>
>> Customer creates login "abc" on my server and gives it to 10 employees to
>> watch that mailbox.
>>
>> 10 employees log in to that single accound and do some actions. One of them is
>> "bad" and deletes important mail. I want to be able to figure which one.
>>
>> I have no control over customers. Also I see no sensible reason to disallow
>> such work style
>
> than your answer to them is simply "i can't tell who did what" as long
> they insist on that work style - how is that your problem?

(Y)

@Arkadiusz, please tell us, if 10 people use the same account name and 
password, how would you as a server behind the internet with a human 
brain differ those 10 individuals?

The only idea I, personally, have is the IP address: Do they connect from 
different IP addresses _all_ the time? No NAT involved? Do you know who 
uses which IP address _all_ the time? If so, Dovecot logs the IP address 
during login and you can associate a PID with an IP address, IMHO you can 
add the remote IP address to the log string. Check out the variables page 
in the Wiki.

But, frankly, _if_ you have someone, who is >>"bad" and deletes important 
mail<<, you should see >>sensible reason to disallow such work style<<. 
The next time you see yet another IP address and don't know the user 
again.

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUuo7dXD1/YhP6VMHAQJdBAf8CEvum1A4mZsCj2I1bJbEalvNupHJl6UQ
SwXmpXa42ldOcg5UDbUG6Xy/PyBzHjGGwFsCA6feFBwDoigM9M0kXJNFw5gfrmk5
cUzAQVEMHGrWNDD/fj9I/7JmBds8/bO7sziPPwwnNtlzva98dwG9RlNdFF09+FcR
TxHq9q8RRgFtWKvh0LtmIcGdJ3+YDTA4I/pZKGKeVXLnsb8+4f1Ep0W2PSMg75Dy
nZ82+CKTwgzROrCMEdAFhIYJTJMDmVd939539Dexp94KsuPhkIKEF59q4NOfvZ0V
OLiymyCGf3DgeCySxONU/E55ihD3RTQX3wmNk10rNOPAKD3Tg4kP0g==
=6ok/
-----END PGP SIGNATURE-----