auth_policy_server vs client_id and x-originating-ip

Zdeněk Zámečník diego at dixy.cz
Sun May 31 15:47:04 EEST 2020


I run into troubles when trying to set up auth_policy_server in Dovecot 
2.3.10.1. It works almost as expected but I cannot get client ID in this 
process.

By setting up "imap_id_log=*" I see in log that Dovecot gets details 
about mail client like name and version:

May 31 14:20:58 mail dovecot: 
imap(xxx at example.xxx)<24796><ft7ytfCmjdZWMSZQ>: ID sent: 
name=Thunderbird, version=68.8.1


But the auth_policy_server is getting all details except this ID, it's 
empty:

May 31 14:20:58 mail auth-policy[10357]: {
May 31 14:20:58 mail auth-policy[10357]:   device_id: '',
May 31 14:20:58 mail auth-policy[10357]:   login: 'xxx at example.xxx',
May 31 14:20:58 mail auth-policy[10357]:   protocol: 'imap',
May 31 14:20:58 mail auth-policy[10357]:   pwhash: '097a',
May 31 14:20:58 mail auth-policy[10357]:   remote: '1.2.3.4',
May 31 14:20:58 mail auth-policy[10357]:   tls: true
May 31 14:20:58 mail auth-policy[10357]: }


However in some cases I see that client_id is passed to auth_policy_server:

May 31 14:27:41 mail auth-policy[10357]: {
May 31 14:27:41 mail auth-policy[10357]:   device_id: '"name" 
"Outlook-iOS-Android" "version" "2.0"',
May 31 14:27:41 mail auth-policy[10357]:   login: 'yyy at example.xxx',
May 31 14:27:41 mail auth-policy[10357]:   protocol: 'imap',
May 31 14:27:41 mail auth-policy[10357]:   pwhash: '0b63',
May 31 14:27:41 mail auth-policy[10357]:   remote: '3.4.5.6',
May 31 14:27:41 mail auth-policy[10357]:   tls: true
May 31 14:27:41 mail auth-policy[10357]: }

I think I am missing some important point. Maybe IMAP command ID and 
client_id are totally different. Can you please advise? Is it possible 
to pass details about mail client to auth_policy_server? Second question 
is: how I can get "x-originating-ip" from ID command to auth_policy_server?

Below is my config file:

# 2.3.10.1 (a3d0e1171): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.10 (67bf5bd7)
# OS: Linux 5.3.18-2-pve x86_64 Debian 10.4
# Hostname: mail.z-technics.com
auth_cache_size = 2 M
auth_cache_ttl = 5 mins
auth_master_user_separator = *
auth_mechanisms = plain login
auth_policy_check_before_auth = no
auth_policy_hash_nonce = # hidden, use -P to show it
auth_policy_report_after_auth = no
auth_policy_server_timeout_msecs = 1500
auth_policy_server_url = http://127.0.0.1:8090/
dict {
   acl = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext
   quota = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext
}
disable_plaintext_auth = no
imap_client_workarounds = delay-newmail
imap_hibernate_timeout = 5 secs
imap_id_log = *
imap_id_retain = yes
login_trusted_networks = 127.0.0.1
mail_gid = 2000
mail_home = /var/vmail/%d/%n
mail_location = mdbox:~/mdbox:ALT=/var/vmail-archive/%d/%n/mdbox
mail_max_userip_connections = 60
mail_plugins = acl zlib fts quota
mail_uid = 2000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date index ihave duplicate mime foreverypart 
extracttext vacation-seconds editheader imapsieve vnd.dovecot.imapsieve
mdbox_rotate_interval = 1 days
mdbox_rotate_size = 16 M

passdb {
   args = /etc/dovecot/dovecot-ldap.conf
   driver = ldap
}
passdb {
   args = /etc/dovecot/masters.db
   driver = passwd-file
   master = yes
   pass = yes
}
plugin {
   acl = vfile
   acl_shared_dict = proxy::acl
   imapsieve_mailbox1_before = file:/var/vmail/sieve/report-spam.sieve
   imapsieve_mailbox1_causes = COPY
   imapsieve_mailbox1_name = Spam
   imapsieve_mailbox2_before = file:/var/vmail/sieve/report-ham.sieve
   imapsieve_mailbox2_causes = COPY
   imapsieve_mailbox2_from = Spam
   imapsieve_mailbox2_name = *
   imapsieve_mailbox3_before = file:/var/vmail/sieve/report-spam.sieve
   imapsieve_mailbox3_causes = COPY
   imapsieve_mailbox3_name = Junk
   imapsieve_mailbox4_before = file:/var/vmail/sieve/report-ham.sieve
   imapsieve_mailbox4_causes = COPY
   imapsieve_mailbox4_from = Junk
   imapsieve_mailbox4_name = *
   mailbox_alias_new = Sent Messages
   mailbox_alias_new2 = Sent Items
   mailbox_alias_new3 = Deleted Items
   mailbox_alias_old = Sent
   mailbox_alias_old2 = Sent
   mailbox_alias_old3 = Trash
   quota = dict:User quota::proxy::quota
   quota_grace = 10%%
   quota_rule2 = Trash:ignore
   quota_rule3 = Junk:ignore
   quota_warning = storage=80%% quota-warning 90 %u
   quota_warning2 = storage=85%% quota-warning 95 %u
   quota_warning3 = storage=95%% quota-warning 105 %u
   sieve = /var/vmail/%d/%n/sieve/.sieve
   sieve_after = /var/vmail/%d/%n/sieve/autoreply.sieve
   sieve_before = /var/vmail/sieve/global.sieve
   sieve_dir = /var/vmail/%d/%n/sieve
   sieve_extensions = +editheader +vacation-seconds
   sieve_global_dir = /var/vmail/sieve/
   sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
   sieve_max_redirects = 20
   sieve_pipe_bin_dir = /usr/lib/dovecot
   sieve_plugins = sieve_imapsieve sieve_extprograms
   sieve_vacation_send_from_recipient = yes
}
protocols = imap sieve lmtp pop3
service auth-worker {
   unix_listener auth-worker {
     user = vmail
   }
   user = $default_internal_user
}
service auth {
   unix_listener /var/spool/postfix/private/auth {
     group = postfix
     mode = 0660
     user = postfix
   }
   unix_listener auth-userdb {
     mode = 0600
     user = vmail
   }
   user = vmail
}
service dict {
   unix_listener dict {
     mode = 0600
     user = vmail
   }
}
service imap-hibernate {
   unix_listener imap-hibernate {
     group = $default_internal_group
     mode = 0660
   }
}
service imap-login {
   process_min_avail = 10
   service_count = 0
   vsz_limit = 512 M
}
service imap {
   executable = imap
   process_limit = 3500
   unix_listener imap-master {
     user = $default_internal_user
   }
   vsz_limit = 2 G
}
service lmtp {
   unix_listener /var/spool/postfix/private/dovecot-lmtp {
     group = postfix
     mode = 0600
     user = postfix
   }
}
service managesieve-login {
   inet_listener sieve {
     port = 4190
   }
   process_min_avail = 0
   service_count = 1
   vsz_limit = 64 M
}
service managesieve {
   process_limit = 400
}
service pop3-login {
   process_min_avail = 3
   service_count = 0
   vsz_limit = 320 M
}
service pop3 {
   process_limit = 200
   vsz_limit = 320 M
}
service quota-warning {
   executable = script /etc/dovecot/quota_warning.sh
   unix_listener quota-warning {
     mode = 0666
     user = vmail
   }
   user = vmail
}
ssl_cert = </etc/ssl/private/multi.z-technics.cz.dovecot.pem
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
stats_writer_socket_path =
userdb {
   args = /etc/dovecot/dovecot-ldap.conf
   driver = ldap
}
protocol sieve {
   managesieve_implementation_string = Dovecot Pigeonhole
   managesieve_max_compile_errors = 5
}
protocol imap {
   mail_plugins = quota imap_quota fts mailbox_alias imap_acl acl 
imap_zlib imap_sieve
}
protocol lda {
   mail_fsync = optimized
}
protocol lmtp {
   mail_fsync = optimized
   mail_plugins = quota sieve acl
}



More information about the dovecot mailing list