Question about login_log_format_elements in a proxy environment

John Fawcett john at voipsupport.it
Tue Dec 8 00:22:10 EET 2020


On 07/12/2020 23:09, Adi Pircalabu wrote:
> On 08-12-2020 3:13, John Fawcett wrote:
>> On 07/12/2020 06:02, Adi Pircalabu wrote:
>>> Hi,
>>>
>>> I have a Dovecot proxy setup with several proxy machines (currently
>>> running 2.3.11.3) in front of the real Dovecot servers (2.3.10.1)
>>> storing the mailboxes. "doveconf -a | egrep lip" returns:
>>> login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e
>>> %c session=<%{session}>
>>>
>>> In the real server maillog I'm expecting to have "lip" replaced with
>>> the IP address of the proxy. It works as expected for imap-login
>>> processes, however for pop3-login processes I still see the real
>>> server IP instead of the proxy IP. Ideas?
>>>
>>> Regards,
>>>
>> Hi Adi
>>
>> in general people want to get the original ip not the proxied ip. The
>> proxying of the original ip is done by a different method for imap
>> and pop3
>>
>> https://wiki.dovecot.org/Design/ParameterForwarding
>>
>> However, unless I'm reading this wrongly, both methods are affected by
>> trusted_networks settings. I guess for people to help further, you'd
>> need to give more info your configuration settings.
>
> Thanks John. login_trusted_networks, if this is the setting you're
> referring to, lists the proxy IPs. I'd have thought, by having this
> setting on the real servers, the proxy IP will be logged by both IMAP
> and POP3 login processes, but it appears it isn't the case. It works
> for IMAP, not for POP3.
> The reason I need the proxy IP in the "lip" instead of the local IP in
> the real server mail log is that I need to filter certain connections,
> both IMAP and POP3, that are coming directly into the real server IP.
> By capturing the IMAP & POP3 traffic on the real servers and matching
> the results to the mail log entries I *should* be able to tell what
> mail accounts from which remote IP addresses are coming in via the
> proxies and which ones are coming into the real servers directly. Hope
> that makes sense.
> Cheers,
>
The way I read it is that by specifing login_trusted_networks the proxy
ip can be overwritten by the real ip. I think that's the opposite of
what you need.

I can't throw any light on why that is not working for imap but is
working for pop3. But as you don't want the overwriting, maybe you
should try without login_trusted_networks.

John



More information about the dovecot mailing list