Question about login_log_format_elements in a proxy environment

John Fawcett john at voipsupport.it
Tue Dec 8 00:41:42 EET 2020 

On 07/12/2020 23:22, John Fawcett wrote:
> On 07/12/2020 23:09, Adi Pircalabu wrote:
>> On 08-12-2020 3:13, John Fawcett wrote:
>>> On 07/12/2020 06:02, Adi Pircalabu wrote:
>>>> Hi,
>>>>
>>>> I have a Dovecot proxy setup with several proxy machines (currently
>>>> running 2.3.11.3) in front of the real Dovecot servers (2.3.10.1)
>>>> storing the mailboxes. "doveconf -a | egrep lip" returns:
>>>> login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e
>>>> %c session=<%{session}>
>>>>
>>>> In the real server maillog I'm expecting to have "lip" replaced with
>>>> the IP address of the proxy. It works as expected for imap-login
>>>> processes, however for pop3-login processes I still see the real
>>>> server IP instead of the proxy IP. Ideas?
>>>>
>>>> Regards,
>>>>
>>> Hi Adi
>>>
>>> in general people want to get the original ip not the proxied ip. The
>>> proxying of the original ip is done by a different method for imap
>>> and pop3
>>>
>>> https://wiki.dovecot.org/Design/ParameterForwarding
>>>
>>> However, unless I'm reading this wrongly, both methods are affected by
>>> trusted_networks settings. I guess for people to help further, you'd
>>> need to give more info your configuration settings.
>> Thanks John. login_trusted_networks, if this is the setting you're
>> referring to, lists the proxy IPs. I'd have thought, by having this
>> setting on the real servers, the proxy IP will be logged by both IMAP
>> and POP3 login processes, but it appears it isn't the case. It works
>> for IMAP, not for POP3.
>> The reason I need the proxy IP in the "lip" instead of the local IP in
>> the real server mail log is that I need to filter certain connections,
>> both IMAP and POP3, that are coming directly into the real server IP.
>> By capturing the IMAP & POP3 traffic on the real servers and matching
>> the results to the mail log entries I *should* be able to tell what
>> mail accounts from which remote IP addresses are coming in via the
>> proxies and which ones are coming into the real servers directly. Hope
>> that makes sense.
>> Cheers,
>>
> The way I read it is that by specifing login_trusted_networks the proxy
> ip can be overwritten by the real ip. I think that's the opposite of
> what you need.
>
> I can't throw any light on why that is not working for imap but is
> working for pop3. But as you don't want the overwriting, maybe you
> should try without login_trusted_networks.
>
> John
>
You're probably not getting the real ip logged for imap despite having
login_trusted_networks due to the default for imap_id_retain on the proxies.

John

More information about the dovecot mailing list