auth_policy_server vs client_id and x-originating-ip
Zdeněk Zámečník
diego at dixy.cz
Sun May 31 15:47:04 EEST 2020
I run into troubles when trying to set up auth_policy_server in Dovecot
2.3.10.1. It works almost as expected but I cannot get client ID in this
process.
By setting up "imap_id_log=*" I see in log that Dovecot gets details
about mail client like name and version:
May 31 14:20:58 mail dovecot:
imap(xxx at example.xxx)<24796><ft7ytfCmjdZWMSZQ>: ID sent:
name=Thunderbird, version=68.8.1
But the auth_policy_server is getting all details except this ID, it's
empty:
May 31 14:20:58 mail auth-policy[10357]: {
May 31 14:20:58 mail auth-policy[10357]: device_id: '',
May 31 14:20:58 mail auth-policy[10357]: login: 'xxx at example.xxx',
May 31 14:20:58 mail auth-policy[10357]: protocol: 'imap',
May 31 14:20:58 mail auth-policy[10357]: pwhash: '097a',
May 31 14:20:58 mail auth-policy[10357]: remote: '1.2.3.4',
May 31 14:20:58 mail auth-policy[10357]: tls: true
May 31 14:20:58 mail auth-policy[10357]: }
However in some cases I see that client_id is passed to auth_policy_server:
May 31 14:27:41 mail auth-policy[10357]: {
May 31 14:27:41 mail auth-policy[10357]: device_id: '"name"
"Outlook-iOS-Android" "version" "2.0"',
May 31 14:27:41 mail auth-policy[10357]: login: 'yyy at example.xxx',
May 31 14:27:41 mail auth-policy[10357]: protocol: 'imap',
May 31 14:27:41 mail auth-policy[10357]: pwhash: '0b63',
May 31 14:27:41 mail auth-policy[10357]: remote: '3.4.5.6',
May 31 14:27:41 mail auth-policy[10357]: tls: true
May 31 14:27:41 mail auth-policy[10357]: }
I think I am missing some important point. Maybe IMAP command ID and
client_id are totally different. Can you please advise? Is it possible
to pass details about mail client to auth_policy_server? Second question
is: how I can get "x-originating-ip" from ID command to auth_policy_server?
Below is my config file:
# 2.3.10.1 (a3d0e1171): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.10 (67bf5bd7)
# OS: Linux 5.3.18-2-pve x86_64 Debian 10.4
# Hostname: mail.z-technics.com
auth_cache_size = 2 M
auth_cache_ttl = 5 mins
auth_master_user_separator = *
auth_mechanisms = plain login
auth_policy_check_before_auth = no
auth_policy_hash_nonce = # hidden, use -P to show it
auth_policy_report_after_auth = no
auth_policy_server_timeout_msecs = 1500
auth_policy_server_url = http://127.0.0.1:8090/
dict {
acl = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext
quota = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext
}
disable_plaintext_auth = no
imap_client_workarounds = delay-newmail
imap_hibernate_timeout = 5 secs
imap_id_log = *
imap_id_retain = yes
login_trusted_networks = 127.0.0.1
mail_gid = 2000
mail_home = /var/vmail/%d/%n
mail_location = mdbox:~/mdbox:ALT=/var/vmail-archive/%d/%n/mdbox
mail_max_userip_connections = 60
mail_plugins = acl zlib fts quota
mail_uid = 2000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart
extracttext vacation-seconds editheader imapsieve vnd.dovecot.imapsieve
mdbox_rotate_interval = 1 days
mdbox_rotate_size = 16 M
passdb {
args = /etc/dovecot/dovecot-ldap.conf
driver = ldap
}
passdb {
args = /etc/dovecot/masters.db
driver = passwd-file
master = yes
pass = yes
}
plugin {
acl = vfile
acl_shared_dict = proxy::acl
imapsieve_mailbox1_before = file:/var/vmail/sieve/report-spam.sieve
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_name = Spam
imapsieve_mailbox2_before = file:/var/vmail/sieve/report-ham.sieve
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_from = Spam
imapsieve_mailbox2_name = *
imapsieve_mailbox3_before = file:/var/vmail/sieve/report-spam.sieve
imapsieve_mailbox3_causes = COPY
imapsieve_mailbox3_name = Junk
imapsieve_mailbox4_before = file:/var/vmail/sieve/report-ham.sieve
imapsieve_mailbox4_causes = COPY
imapsieve_mailbox4_from = Junk
imapsieve_mailbox4_name = *
mailbox_alias_new = Sent Messages
mailbox_alias_new2 = Sent Items
mailbox_alias_new3 = Deleted Items
mailbox_alias_old = Sent
mailbox_alias_old2 = Sent
mailbox_alias_old3 = Trash
quota = dict:User quota::proxy::quota
quota_grace = 10%%
quota_rule2 = Trash:ignore
quota_rule3 = Junk:ignore
quota_warning = storage=80%% quota-warning 90 %u
quota_warning2 = storage=85%% quota-warning 95 %u
quota_warning3 = storage=95%% quota-warning 105 %u
sieve = /var/vmail/%d/%n/sieve/.sieve
sieve_after = /var/vmail/%d/%n/sieve/autoreply.sieve
sieve_before = /var/vmail/sieve/global.sieve
sieve_dir = /var/vmail/%d/%n/sieve
sieve_extensions = +editheader +vacation-seconds
sieve_global_dir = /var/vmail/sieve/
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
sieve_max_redirects = 20
sieve_pipe_bin_dir = /usr/lib/dovecot
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_vacation_send_from_recipient = yes
}
protocols = imap sieve lmtp pop3
service auth-worker {
unix_listener auth-worker {
user = vmail
}
user = $default_internal_user
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-userdb {
mode = 0600
user = vmail
}
user = vmail
}
service dict {
unix_listener dict {
mode = 0600
user = vmail
}
}
service imap-hibernate {
unix_listener imap-hibernate {
group = $default_internal_group
mode = 0660
}
}
service imap-login {
process_min_avail = 10
service_count = 0
vsz_limit = 512 M
}
service imap {
executable = imap
process_limit = 3500
unix_listener imap-master {
user = $default_internal_user
}
vsz_limit = 2 G
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
process_min_avail = 0
service_count = 1
vsz_limit = 64 M
}
service managesieve {
process_limit = 400
}
service pop3-login {
process_min_avail = 3
service_count = 0
vsz_limit = 320 M
}
service pop3 {
process_limit = 200
vsz_limit = 320 M
}
service quota-warning {
executable = script /etc/dovecot/quota_warning.sh
unix_listener quota-warning {
mode = 0666
user = vmail
}
user = vmail
}
ssl_cert = </etc/ssl/private/multi.z-technics.cz.dovecot.pem
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
stats_writer_socket_path =
userdb {
args = /etc/dovecot/dovecot-ldap.conf
driver = ldap
}
protocol sieve {
managesieve_implementation_string = Dovecot Pigeonhole
managesieve_max_compile_errors = 5
}
protocol imap {
mail_plugins = quota imap_quota fts mailbox_alias imap_acl acl
imap_zlib imap_sieve
}
protocol lda {
mail_fsync = optimized
}
protocol lmtp {
mail_fsync = optimized
mail_plugins = quota sieve acl
}
More information about the dovecot
mailing list