Hi. I'm using nologin with own reason [1]. That works fine. For example pop3 client gets nice message like "-ERR [AUTH] Account is locked. Please contact support." Unfortunately maillog lacks information details about why user was not allowed to log in. pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<testuser>, method=LOGIN, rip=1.1.1.1, lip=2.2.2.2, session=<yIsRftBBmsrB7y2h> Is it possible to log "reason" there, too? (whether it is default/internal dovecot reason or my custom one). reason is the only thing in maillog that allows to distinguish why user was not allowed to log in. 1. http://wiki2.dovecot.org/PasswordDatabase/ExtraFields -- Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org )
On Nov 21, 2016, at 7:39 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote:> reason is the only thing in maillog that allows to distinguish why user was > not allowed to log in.Um? the only thing? How about where you set the reason in the first place? I think the assumption with nologin is that the admin knows the reason, especially considering that nologin is drastic and is almost certain to confuse the user?s MUA, so should only be used in dire cases.
On Monday 21 of November 2016, @lbutlr wrote:> On Nov 21, 2016, at 7:39 AM, Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: > > reason is the only thing in maillog that allows to distinguish why user > > was not allowed to log in. > > Um? the only thing? How about where you set the reason in the first place?That "first" place is constantly changing (database) and I'm looking at logs from X days/weeks ago, so database doesn't even have old info. log it the only place where it would make sense to store a reason.> I think the assumption with nologin is that the admin knows the reason, > especially considering that nologin is drastic and is almost certain to > confuse the user?s MUA, so should only be used in dire cases.4 different and dynamically changing reasons possible, so it's not that simple. -- Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org )
On 21 Nov 2016, at 16.39, Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote:> > > Hi. > > I'm using nologin with own reason [1]. That works fine. For example pop3 > client gets nice message like "-ERR [AUTH] Account is locked. Please contact > support." > > > Unfortunately maillog lacks information details about why user was not allowed > to log in. > > pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<testuser>, > method=LOGIN, rip=1.1.1.1, lip=2.2.2.2, session=<yIsRftBBmsrB7y2h> > > Is it possible to log "reason" there, too? (whether it is default/internal > dovecot reason or my custom one).Does it work if you add: login_log_format_elements = $login_log_format_elements reason=%{passdb:reason}
On Monday 21 of November 2016, Timo Sirainen wrote:> On 21 Nov 2016, at 16.39, Arkadiusz Mi?kiewicz <arekm at maven.pl> wrote: > > Hi. > > > > I'm using nologin with own reason [1]. That works fine. For example pop3 > > client gets nice message like "-ERR [AUTH] Account is locked. Please > > contact support." > > > > > > Unfortunately maillog lacks information details about why user was not > > allowed to log in. > > > > pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): > > user=<testuser>, method=LOGIN, rip=1.1.1.1, lip=2.2.2.2, > > session=<yIsRftBBmsrB7y2h> > > > > Is it possible to log "reason" there, too? (whether it is > > default/internal dovecot reason or my custom one). > > Does it work if you add: > > login_log_format_elements = $login_log_format_elements > reason=%{passdb:reason}Unfortunately with this empty reason is always logged (for both - allowed and nologin users) Nov 22 07:09:08 mbox dovecot[31261]: pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<testuser>, method=LOGIN, rip=1.1.1.1, lip=2.2.2.2, session=<vq4dnN1BALXB7y2h>, reason while user got -ERR [AUTH] Account is locked. Please contact support. and I had: login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e local_name=%{local_name} %c session=<%{session}> reason=%{passdb:reason} -- Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org )