thr3ads.net - dovecot - auth_policy_server vs client_id and x-originating-ip [May 2020]

If this information is useful, please help other people find it:
Share via:

Zdeněk Zámečník

2020-May-31 12:47 UTC

auth_policy_server vs client_id and x-originating-ip

I run into troubles when trying to set up auth_policy_server in Dovecot 
2.3.10.1. It works almost as expected but I cannot get client ID in this 
process.

By setting up "imap_id_log=*" I see in log that Dovecot gets details 
about mail client like name and version:

May 31 14:20:58 mail dovecot: 
imap(xxx at example.xxx)<24796><ft7ytfCmjdZWMSZQ>: ID sent: 
name=Thunderbird, version=68.8.1


But the auth_policy_server is getting all details except this ID, it's 
empty:

May 31 14:20:58 mail auth-policy[10357]: {
May 31 14:20:58 mail auth-policy[10357]:?? device_id: '',
May 31 14:20:58 mail auth-policy[10357]:?? login: 'xxx at example.xxx',
May 31 14:20:58 mail auth-policy[10357]:?? protocol: 'imap',
May 31 14:20:58 mail auth-policy[10357]:?? pwhash: '097a',
May 31 14:20:58 mail auth-policy[10357]:?? remote: '1.2.3.4',
May 31 14:20:58 mail auth-policy[10357]:?? tls: true
May 31 14:20:58 mail auth-policy[10357]: }


However in some cases I see that client_id is passed to auth_policy_server:

May 31 14:27:41 mail auth-policy[10357]: {
May 31 14:27:41 mail auth-policy[10357]:?? device_id: '"name" 
"Outlook-iOS-Android" "version" "2.0"',
May 31 14:27:41 mail auth-policy[10357]:?? login: 'yyy at example.xxx',
May 31 14:27:41 mail auth-policy[10357]:?? protocol: 'imap',
May 31 14:27:41 mail auth-policy[10357]:?? pwhash: '0b63',
May 31 14:27:41 mail auth-policy[10357]:?? remote: '3.4.5.6',
May 31 14:27:41 mail auth-policy[10357]:?? tls: true
May 31 14:27:41 mail auth-policy[10357]: }

I think I am missing some important point. Maybe IMAP command ID and 
client_id are totally different. Can you please advise? Is it possible 
to pass details about mail client to auth_policy_server? Second question 
is: how I can get "x-originating-ip" from ID command to
auth_policy_server?

Below is my config file:

# 2.3.10.1 (a3d0e1171): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.10 (67bf5bd7)
# OS: Linux 5.3.18-2-pve x86_64 Debian 10.4
# Hostname: mail.z-technics.com
auth_cache_size = 2 M
auth_cache_ttl = 5 mins
auth_master_user_separator = *
auth_mechanisms = plain login
auth_policy_check_before_auth = no
auth_policy_hash_nonce = # hidden, use -P to show it
auth_policy_report_after_auth = no
auth_policy_server_timeout_msecs = 1500
auth_policy_server_url = http://127.0.0.1:8090/
dict {
 ? acl = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext
 ? quota = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext
}
disable_plaintext_auth = no
imap_client_workarounds = delay-newmail
imap_hibernate_timeout = 5 secs
imap_id_log = *
imap_id_retain = yes
login_trusted_networks = 127.0.0.1
mail_gid = 2000
mail_home = /var/vmail/%d/%n
mail_location = mdbox:~/mdbox:ALT=/var/vmail-archive/%d/%n/mdbox
mail_max_userip_connections = 60
mail_plugins = acl zlib fts quota
mail_uid = 2000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date index ihave duplicate mime foreverypart 
extracttext vacation-seconds editheader imapsieve vnd.dovecot.imapsieve
mdbox_rotate_interval = 1 days
mdbox_rotate_size = 16 M

passdb {
 ? args = /etc/dovecot/dovecot-ldap.conf
 ? driver = ldap
}
passdb {
 ? args = /etc/dovecot/masters.db
 ? driver = passwd-file
 ? master = yes
 ? pass = yes
}
plugin {
 ? acl = vfile
 ? acl_shared_dict = proxy::acl
 ? imapsieve_mailbox1_before = file:/var/vmail/sieve/report-spam.sieve
 ? imapsieve_mailbox1_causes = COPY
 ? imapsieve_mailbox1_name = Spam
 ? imapsieve_mailbox2_before = file:/var/vmail/sieve/report-ham.sieve
 ? imapsieve_mailbox2_causes = COPY
 ? imapsieve_mailbox2_from = Spam
 ? imapsieve_mailbox2_name = *
 ? imapsieve_mailbox3_before = file:/var/vmail/sieve/report-spam.sieve
 ? imapsieve_mailbox3_causes = COPY
 ? imapsieve_mailbox3_name = Junk
 ? imapsieve_mailbox4_before = file:/var/vmail/sieve/report-ham.sieve
 ? imapsieve_mailbox4_causes = COPY
 ? imapsieve_mailbox4_from = Junk
 ? imapsieve_mailbox4_name = *
 ? mailbox_alias_new = Sent Messages
 ? mailbox_alias_new2 = Sent Items
 ? mailbox_alias_new3 = Deleted Items
 ? mailbox_alias_old = Sent
 ? mailbox_alias_old2 = Sent
 ? mailbox_alias_old3 = Trash
 ? quota = dict:User quota::proxy::quota
 ? quota_grace = 10%%
 ? quota_rule2 = Trash:ignore
 ? quota_rule3 = Junk:ignore
 ? quota_warning = storage=80%% quota-warning 90 %u
 ? quota_warning2 = storage=85%% quota-warning 95 %u
 ? quota_warning3 = storage=95%% quota-warning 105 %u
 ? sieve = /var/vmail/%d/%n/sieve/.sieve
 ? sieve_after = /var/vmail/%d/%n/sieve/autoreply.sieve
 ? sieve_before = /var/vmail/sieve/global.sieve
 ? sieve_dir = /var/vmail/%d/%n/sieve
 ? sieve_extensions = +editheader +vacation-seconds
 ? sieve_global_dir = /var/vmail/sieve/
 ? sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
 ? sieve_max_redirects = 20
 ? sieve_pipe_bin_dir = /usr/lib/dovecot
 ? sieve_plugins = sieve_imapsieve sieve_extprograms
 ? sieve_vacation_send_from_recipient = yes
}
protocols = imap sieve lmtp pop3
service auth-worker {
 ? unix_listener auth-worker {
 ??? user = vmail
 ? }
 ? user = $default_internal_user
}
service auth {
 ? unix_listener /var/spool/postfix/private/auth {
 ??? group = postfix
 ??? mode = 0660
 ??? user = postfix
 ? }
 ? unix_listener auth-userdb {
 ??? mode = 0600
 ??? user = vmail
 ? }
 ? user = vmail
}
service dict {
 ? unix_listener dict {
 ??? mode = 0600
 ??? user = vmail
 ? }
}
service imap-hibernate {
 ? unix_listener imap-hibernate {
 ??? group = $default_internal_group
 ??? mode = 0660
 ? }
}
service imap-login {
 ? process_min_avail = 10
 ? service_count = 0
 ? vsz_limit = 512 M
}
service imap {
 ? executable = imap
 ? process_limit = 3500
 ? unix_listener imap-master {
 ??? user = $default_internal_user
 ? }
 ? vsz_limit = 2 G
}
service lmtp {
 ? unix_listener /var/spool/postfix/private/dovecot-lmtp {
 ??? group = postfix
 ??? mode = 0600
 ??? user = postfix
 ? }
}
service managesieve-login {
 ? inet_listener sieve {
 ??? port = 4190
 ? }
 ? process_min_avail = 0
 ? service_count = 1
 ? vsz_limit = 64 M
}
service managesieve {
 ? process_limit = 400
}
service pop3-login {
 ? process_min_avail = 3
 ? service_count = 0
 ? vsz_limit = 320 M
}
service pop3 {
 ? process_limit = 200
 ? vsz_limit = 320 M
}
service quota-warning {
 ? executable = script /etc/dovecot/quota_warning.sh
 ? unix_listener quota-warning {
 ??? mode = 0666
 ??? user = vmail
 ? }
 ? user = vmail
}
ssl_cert = </etc/ssl/private/multi.z-technics.cz.dovecot.pem
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
stats_writer_socket_path userdb {
 ? args = /etc/dovecot/dovecot-ldap.conf
 ? driver = ldap
}
protocol sieve {
 ? managesieve_implementation_string = Dovecot Pigeonhole
 ? managesieve_max_compile_errors = 5
}
protocol imap {
 ? mail_plugins = quota imap_quota fts mailbox_alias imap_acl acl 
imap_zlib imap_sieve
}
protocol lda {
 ? mail_fsync = optimized
}
protocol lmtp {
 ? mail_fsync = optimized
 ? mail_plugins = quota sieve acl
}

Sami Ketola

2020-Jun-01 07:41 UTC

head link

auth_policy_server vs client_id and x-originating-ip

> On 31. May 2020, at 15.47, Zden?k Z?me?n?k <diego at dixy.cz> wrote:
> 
> I run into troubles when trying to set up auth_policy_server in Dovecot
2.3.10.1. It works almost as expected but I cannot get client ID in this
process.
> 
> By setting up "imap_id_log=*" I see in log that Dovecot gets
details about mail client like name and version:
> 
> May 31 14:20:58 mail dovecot: imap(xxx at
example.xxx)<24796><ft7ytfCmjdZWMSZQ>: ID sent: name=Thunderbird,
version=68.8.1
> 
> 
> But the auth_policy_server is getting all details except this ID, it's
empty:
> 
> May 31 14:20:58 mail auth-policy[10357]: {
> May 31 14:20:58 mail auth-policy[10357]:   device_id: '',
> May 31 14:20:58 mail auth-policy[10357]:   login: 'xxx at
example.xxx',
> May 31 14:20:58 mail auth-policy[10357]:   protocol: 'imap',
> May 31 14:20:58 mail auth-policy[10357]:   pwhash: '097a',
> May 31 14:20:58 mail auth-policy[10357]:   remote: '1.2.3.4',
> May 31 14:20:58 mail auth-policy[10357]:   tls: true
> May 31 14:20:58 mail auth-policy[10357]: }
> 
> 
> However in some cases I see that client_id is passed to auth_policy_server:
> 
> May 31 14:27:41 mail auth-policy[10357]: {
> May 31 14:27:41 mail auth-policy[10357]:   device_id: '"name"
"Outlook-iOS-Android" "version" "2.0"',
> May 31 14:27:41 mail auth-policy[10357]:   login: 'yyy at
example.xxx',
> May 31 14:27:41 mail auth-policy[10357]:   protocol: 'imap',
> May 31 14:27:41 mail auth-policy[10357]:   pwhash: '0b63',
> May 31 14:27:41 mail auth-policy[10357]:   remote: '3.4.5.6',
> May 31 14:27:41 mail auth-policy[10357]:   tls: true
> May 31 14:27:41 mail auth-policy[10357]: }
> 

This completely depends on the imap client. Some clients send IMAP ID pre-login
and in that case it can be relayed to auth policy server.
Some clients send IMAP ID post-login and then auth policy stuff is already
completed without the information.

Sami

Possibly Parallel Threads

Search for more possibly parallel threads

dovecot - May 2020 - auth_policy_server vs client_id and x-originating-ip

auth_policy_server vs client_id and x-originating-ip

auth_policy_server vs client_id and x-originating-ip

Possibly Parallel Threads