On 20.10.2016 15:41, Arkadiusz Mi?kiewicz wrote:> On Thursday 20 of October 2016, Aki Tuomi wrote: >> On 18.10.2016 14:16, Arkadiusz Mi?kiewicz wrote: >>> On Monday 17 of October 2016, KT Walrus wrote: >>>>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> >>>>> wrote: >>>>> >>>>> On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: >>>>>> Is there a way to log SNI hostname used in TLS session? Info is there >>>>>> in SSL_CTX_set_tlsext_servername_callback, dovecot copies it to >>>>>> ssl_io->host. >>>>>> >>>>>> Unfortunately I don't see it expanded to any variables ( >>>>>> wiki.dovecot.org/Variables ). Please consider this to be a >>>>>> feature request. >>>>>> >>>>>> The goal is to be able to see which hostname client used like: >>>>>> >>>>>> May 30 08:21:19 xxx dovecot: pop3-login: Login: user=<abc>, >>>>>> method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, mpid=17135, TLS, >>>>>> SNI=pop3.somehost.org, session=<hfS9Qwk03sBTBnrN> >>>>> Dear dovecot team, would be possible to add such variable ^^^^^ ? >>>>> >>>>> That would be neat feature because server operator would know what >>>>> hostname client uses to connect to server (which is really usefull in >>>>> case of many hostnames pointing to single IP). >>>> I?d love to be able to use this SNI domain name in the Dovecot IMAP >>>> proxy for use in the SQL password_query. This would allow the proxy to >>>> support multiple IMAP server domains each with their own set of users. >>>> And, it would save me money by using only the IP of the proxy for all >>>> the IMAP server domains instead of giving each domain a unique IP. >>> It only needs to be carefuly implemented on dovecot side as TLS SNI >>> hostname is information passed directly by client. >>> >>> So some fqdn name validation would need to happen in case if client has >>> malicious intents. >>> >>>> Kevin >> Hi! >> >> I wonder if this would be of any help? It provides %{local_name} >> passdb/userdb variable, you can use it for some logging too... >> >> github.com/dovecot/core/commit/fe791e96fdf796f7d8997ee0515b163dc5ed >> dd72 > Should it work for such usage, too? > > login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e > local_name=%{local_name} %c session=<%{session}> > > Because I'm not getting local_name logged at all (dovecot -a shows its there). > >> Aki > Thanks,How did you try? With openssl you need to use openssl s_client -connect ... -servername something Aki
On Thursday 20 of October 2016, Aki Tuomi wrote:> On 20.10.2016 15:41, Arkadiusz Mi?kiewicz wrote: > > On Thursday 20 of October 2016, Aki Tuomi wrote: > >> On 18.10.2016 14:16, Arkadiusz Mi?kiewicz wrote: > >>> On Monday 17 of October 2016, KT Walrus wrote: > >>>>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> > >>>>> wrote: > >>>>> > >>>>> On Monday 30 of May 2016, Arkadiusz Mi?kiewicz wrote: > >>>>>> Is there a way to log SNI hostname used in TLS session? Info is > >>>>>> there in SSL_CTX_set_tlsext_servername_callback, dovecot copies it > >>>>>> to ssl_io->host. > >>>>>> > >>>>>> Unfortunately I don't see it expanded to any variables ( > >>>>>> wiki.dovecot.org/Variables ). Please consider this to be a > >>>>>> feature request. > >>>>>> > >>>>>> The goal is to be able to see which hostname client used like: > >>>>>> > >>>>>> May 30 08:21:19 xxx dovecot: pop3-login: Login: user=<abc>, > >>>>>> method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, mpid=17135, TLS, > >>>>>> SNI=pop3.somehost.org, session=<hfS9Qwk03sBTBnrN> > >>>>> > >>>>> Dear dovecot team, would be possible to add such variable ^^^^^ ? > >>>>> > >>>>> That would be neat feature because server operator would know what > >>>>> hostname client uses to connect to server (which is really usefull in > >>>>> case of many hostnames pointing to single IP). > >>>> > >>>> I?d love to be able to use this SNI domain name in the Dovecot IMAP > >>>> proxy for use in the SQL password_query. This would allow the proxy to > >>>> support multiple IMAP server domains each with their own set of users. > >>>> And, it would save me money by using only the IP of the proxy for all > >>>> the IMAP server domains instead of giving each domain a unique IP. > >>> > >>> It only needs to be carefuly implemented on dovecot side as TLS SNI > >>> hostname is information passed directly by client. > >>> > >>> So some fqdn name validation would need to happen in case if client has > >>> malicious intents. > >>> > >>>> Kevin > >> > >> Hi! > >> > >> I wonder if this would be of any help? It provides %{local_name} > >> passdb/userdb variable, you can use it for some logging too... > >> > >> github.com/dovecot/core/commit/fe791e96fdf796f7d8997ee0515b163dc > >> 5ed dd72 > > > > Should it work for such usage, too? > > > > login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e > > local_name=%{local_name} %c session=<%{session}> > > > > Because I'm not getting local_name logged at all (dovecot -a shows its > > there). > > > >> Aki > > > > Thanks, > > How did you try? With openssl you need to use openssl s_client -connect > ... -servername somethingYes, using it. -servername is mandatory for TLS SNI to work. I'm getting correct certificate (as shown by openssl s_client). Certificate that's configured with local_name, so TLS SNI works fine on client and dovecot side. ps. I'm using 2.2.25 + above %{local_name} patch. Could some other patch be needed for this to work?> Aki-- Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org )
On 20.10.2016 15:52, Arkadiusz Mi?kiewicz wrote:> > ... -servername somethingIf you want to try out, try applying this patch...>From 066edb5e5c14a05c90e9ae63f0b76fcfd9c1149e Mon Sep 17 00:00:00 2001From: Aki Tuomi <aki.tuomi at dovecot.fi> Date: Thu, 20 Oct 2016 16:06:27 +0300 Subject: [PATCH] login-common: Include local_name in login_var_expand_table This way it can be used in login_log_format --- src/login-common/client-common.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c index d0a9c52..5964ec9 100644 --- a/src/login-common/client-common.c +++ b/src/login-common/client-common.c @@ -507,6 +507,7 @@ static struct var_expand_table login_var_expand_empty_tab[] = { { '\0', NULL, "auth_username" }, { '\0', NULL, "auth_domain" }, { '\0', NULL, "listener" }, + { '\0', NULL, "local_name" }, { '\0', NULL, NULL } }; @@ -581,6 +582,7 @@ get_var_expand_table(struct client *client) tab[24].value = tab[21].value; } tab[25].value = client->listener_name; + tab[26].value = client->local_name == NULL ? "" : client->local_name; return tab; } -- 2.7.4