On 18.10.2016 14:16, Arkadiusz Mi?kiewicz wrote:> On Monday 17 of October 2016, KT Walrus wrote: >>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: >>> >>> On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: >>>> Is there a way to log SNI hostname used in TLS session? Info is there in >>>> SSL_CTX_set_tlsext_servername_callback, dovecot copies it to >>>> ssl_io->host. >>>> >>>> Unfortunately I don't see it expanded to any variables ( >>>> http://wiki.dovecot.org/Variables ). Please consider this to be a >>>> feature request. >>>> >>>> The goal is to be able to see which hostname client used like: >>>> >>>> May 30 08:21:19 xxx dovecot: pop3-login: Login: user=<abc>, >>>> method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, mpid=17135, TLS, >>>> SNI=pop3.somehost.org, session=<hfS9Qwk03sBTBnrN> >>> Dear dovecot team, would be possible to add such variable ^^^^^ ? >>> >>> That would be neat feature because server operator would know what >>> hostname client uses to connect to server (which is really usefull in >>> case of many hostnames pointing to single IP). >> I?d love to be able to use this SNI domain name in the Dovecot IMAP proxy >> for use in the SQL password_query. This would allow the proxy to support >> multiple IMAP server domains each with their own set of users. And, it >> would save me money by using only the IP of the proxy for all the IMAP >> server domains instead of giving each domain a unique IP. > It only needs to be carefuly implemented on dovecot side as TLS SNI hostname > is information passed directly by client. > > So some fqdn name validation would need to happen in case if client has > malicious intents. > >> Kevin >Hi! I wonder if this would be of any help? It provides %{local_name} passdb/userdb variable, you can use it for some logging too... https://github.com/dovecot/core/commit/fe791e96fdf796f7d8997ee0515b163dc5eddd72 Aki
On Thursday 20 of October 2016, Aki Tuomi wrote:> On 18.10.2016 14:16, Arkadiusz Mi?kiewicz wrote: > > On Monday 17 of October 2016, KT Walrus wrote: > >>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> > >>> wrote: > >>> > >>> On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: > >>>> Is there a way to log SNI hostname used in TLS session? Info is there > >>>> in SSL_CTX_set_tlsext_servername_callback, dovecot copies it to > >>>> ssl_io->host. > >>>> > >>>> Unfortunately I don't see it expanded to any variables ( > >>>> http://wiki.dovecot.org/Variables ). Please consider this to be a > >>>> feature request. > >>>> > >>>> The goal is to be able to see which hostname client used like: > >>>> > >>>> May 30 08:21:19 xxx dovecot: pop3-login: Login: user=<abc>, > >>>> method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, mpid=17135, TLS, > >>>> SNI=pop3.somehost.org, session=<hfS9Qwk03sBTBnrN> > >>> > >>> Dear dovecot team, would be possible to add such variable ^^^^^ ? > >>> > >>> That would be neat feature because server operator would know what > >>> hostname client uses to connect to server (which is really usefull in > >>> case of many hostnames pointing to single IP). > >> > >> I?d love to be able to use this SNI domain name in the Dovecot IMAP > >> proxy for use in the SQL password_query. This would allow the proxy to > >> support multiple IMAP server domains each with their own set of users. > >> And, it would save me money by using only the IP of the proxy for all > >> the IMAP server domains instead of giving each domain a unique IP. > > > > It only needs to be carefuly implemented on dovecot side as TLS SNI > > hostname is information passed directly by client. > > > > So some fqdn name validation would need to happen in case if client has > > malicious intents. > > > >> Kevin > > Hi! > > I wonder if this would be of any help? It provides %{local_name} > passdb/userdb variable, you can use it for some logging too... > > https://github.com/dovecot/core/commit/fe791e96fdf796f7d8997ee0515b163dc5ed > dd72Should it work for such usage, too? login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e local_name=%{local_name} %c session=<%{session}> Because I'm not getting local_name logged at all (dovecot -a shows its there).> AkiThanks, -- Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org )
On 20.10.2016 15:41, Arkadiusz Mi?kiewicz wrote:> On Thursday 20 of October 2016, Aki Tuomi wrote: >> On 18.10.2016 14:16, Arkadiusz Mi?kiewicz wrote: >>> On Monday 17 of October 2016, KT Walrus wrote: >>>>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> >>>>> wrote: >>>>> >>>>> On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: >>>>>> Is there a way to log SNI hostname used in TLS session? Info is there >>>>>> in SSL_CTX_set_tlsext_servername_callback, dovecot copies it to >>>>>> ssl_io->host. >>>>>> >>>>>> Unfortunately I don't see it expanded to any variables ( >>>>>> http://wiki.dovecot.org/Variables ). Please consider this to be a >>>>>> feature request. >>>>>> >>>>>> The goal is to be able to see which hostname client used like: >>>>>> >>>>>> May 30 08:21:19 xxx dovecot: pop3-login: Login: user=<abc>, >>>>>> method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, mpid=17135, TLS, >>>>>> SNI=pop3.somehost.org, session=<hfS9Qwk03sBTBnrN> >>>>> Dear dovecot team, would be possible to add such variable ^^^^^ ? >>>>> >>>>> That would be neat feature because server operator would know what >>>>> hostname client uses to connect to server (which is really usefull in >>>>> case of many hostnames pointing to single IP). >>>> I?d love to be able to use this SNI domain name in the Dovecot IMAP >>>> proxy for use in the SQL password_query. This would allow the proxy to >>>> support multiple IMAP server domains each with their own set of users. >>>> And, it would save me money by using only the IP of the proxy for all >>>> the IMAP server domains instead of giving each domain a unique IP. >>> It only needs to be carefuly implemented on dovecot side as TLS SNI >>> hostname is information passed directly by client. >>> >>> So some fqdn name validation would need to happen in case if client has >>> malicious intents. >>> >>>> Kevin >> Hi! >> >> I wonder if this would be of any help? It provides %{local_name} >> passdb/userdb variable, you can use it for some logging too... >> >> https://github.com/dovecot/core/commit/fe791e96fdf796f7d8997ee0515b163dc5ed >> dd72 > Should it work for such usage, too? > > login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e > local_name=%{local_name} %c session=<%{session}> > > Because I'm not getting local_name logged at all (dovecot -a shows its there). > >> Aki > Thanks,How did you try? With openssl you need to use openssl s_client -connect ... -servername something Aki