auth_policy_server vs client_id and x-originating-ip

Zdeněk Zámečník Sun, 31 May 2020 05:48:02 -0700

I run into troubles when trying to set up auth_policy_server in Dovecot2.3.10.1. It works almost as expected but I cannot get client ID in thisprocess.

By setting up "imap_id_log=*" I see in log that Dovecot gets detailsabout mail client like name and version:

May 31 14:20:58 mail dovecot:imap(x...@example.xxx)<24796><ft7ytfCmjdZWMSZQ>: ID sent:name=Thunderbird, version=68.8.1

But the auth_policy_server is getting all details except this ID, it'sempty:


May 31 14:20:58 mail auth-policy[10357]: {
May 31 14:20:58 mail auth-policy[10357]:   device_id: '',
May 31 14:20:58 mail auth-policy[10357]:   login: 'x...@example.xxx',
May 31 14:20:58 mail auth-policy[10357]:   protocol: 'imap',
May 31 14:20:58 mail auth-policy[10357]:   pwhash: '097a',
May 31 14:20:58 mail auth-policy[10357]:   remote: '1.2.3.4',
May 31 14:20:58 mail auth-policy[10357]:   tls: true
May 31 14:20:58 mail auth-policy[10357]: }


However in some cases I see that client_id is passed to auth_policy_server:

May 31 14:27:41 mail auth-policy[10357]: {

May 31 14:27:41 mail auth-policy[10357]: device_id: '"name""Outlook-iOS-Android" "version" "2.0"',

May 31 14:27:41 mail auth-policy[10357]:   login: 'y...@example.xxx',
May 31 14:27:41 mail auth-policy[10357]:   protocol: 'imap',
May 31 14:27:41 mail auth-policy[10357]:   pwhash: '0b63',
May 31 14:27:41 mail auth-policy[10357]:   remote: '3.4.5.6',
May 31 14:27:41 mail auth-policy[10357]:   tls: true
May 31 14:27:41 mail auth-policy[10357]: }

I think I am missing some important point. Maybe IMAP command ID andclient_id are totally different. Can you please advise? Is it possibleto pass details about mail client to auth_policy_server? Second questionis: how I can get "x-originating-ip" from ID command to auth_policy_server?


Below is my config file:

# 2.3.10.1 (a3d0e1171): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.10 (67bf5bd7)
# OS: Linux 5.3.18-2-pve x86_64 Debian 10.4
# Hostname: mail.z-technics.com
auth_cache_size = 2 M
auth_cache_ttl = 5 mins
auth_master_user_separator = *
auth_mechanisms = plain login
auth_policy_check_before_auth = no
auth_policy_hash_nonce = # hidden, use -P to show it
auth_policy_report_after_auth = no
auth_policy_server_timeout_msecs = 1500
auth_policy_server_url = http://127.0.0.1:8090/
dict {
  acl = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext
  quota = pgsql:/etc/dovecot/dovecot-dict-sql.conf.ext
}
disable_plaintext_auth = no
imap_client_workarounds = delay-newmail
imap_hibernate_timeout = 5 secs
imap_id_log = *
imap_id_retain = yes
login_trusted_networks = 127.0.0.1
mail_gid = 2000
mail_home = /var/vmail/%d/%n
mail_location = mdbox:~/mdbox:ALT=/var/vmail-archive/%d/%n/mdbox
mail_max_userip_connections = 60
mail_plugins = acl zlib fts quota
mail_uid = 2000
managesieve_notify_capability = mailto

managesieve_sieve_capability = fileinto reject envelopeencoded-character vacation subaddress comparator-i;ascii-numericrelational regex imap4flags copy include variables body enotifyenvironment mailbox date index ihave duplicate mime foreverypartextracttext vacation-seconds editheader imapsieve vnd.dovecot.imapsieve

mdbox_rotate_interval = 1 days
mdbox_rotate_size = 16 M

passdb {
  args = /etc/dovecot/dovecot-ldap.conf
  driver = ldap
}
passdb {
  args = /etc/dovecot/masters.db
  driver = passwd-file
  master = yes
  pass = yes
}
plugin {
  acl = vfile
  acl_shared_dict = proxy::acl
  imapsieve_mailbox1_before = file:/var/vmail/sieve/report-spam.sieve
  imapsieve_mailbox1_causes = COPY
  imapsieve_mailbox1_name = Spam
  imapsieve_mailbox2_before = file:/var/vmail/sieve/report-ham.sieve
  imapsieve_mailbox2_causes = COPY
  imapsieve_mailbox2_from = Spam
  imapsieve_mailbox2_name = *
  imapsieve_mailbox3_before = file:/var/vmail/sieve/report-spam.sieve
  imapsieve_mailbox3_causes = COPY
  imapsieve_mailbox3_name = Junk
  imapsieve_mailbox4_before = file:/var/vmail/sieve/report-ham.sieve
  imapsieve_mailbox4_causes = COPY
  imapsieve_mailbox4_from = Junk
  imapsieve_mailbox4_name = *
  mailbox_alias_new = Sent Messages
  mailbox_alias_new2 = Sent Items
  mailbox_alias_new3 = Deleted Items
  mailbox_alias_old = Sent
  mailbox_alias_old2 = Sent
  mailbox_alias_old3 = Trash
  quota = dict:User quota::proxy::quota
  quota_grace = 10%%
  quota_rule2 = Trash:ignore
  quota_rule3 = Junk:ignore
  quota_warning = storage=80%% quota-warning 90 %u
  quota_warning2 = storage=85%% quota-warning 95 %u
  quota_warning3 = storage=95%% quota-warning 105 %u
  sieve = /var/vmail/%d/%n/sieve/.sieve
  sieve_after = /var/vmail/%d/%n/sieve/autoreply.sieve
  sieve_before = /var/vmail/sieve/global.sieve
  sieve_dir = /var/vmail/%d/%n/sieve
  sieve_extensions = +editheader +vacation-seconds
  sieve_global_dir = /var/vmail/sieve/
  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
  sieve_max_redirects = 20
  sieve_pipe_bin_dir = /usr/lib/dovecot
  sieve_plugins = sieve_imapsieve sieve_extprograms
  sieve_vacation_send_from_recipient = yes
}
protocols = imap sieve lmtp pop3
service auth-worker {
  unix_listener auth-worker {
    user = vmail
  }
  user = $default_internal_user
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-userdb {
    mode = 0600
    user = vmail
  }
  user = vmail
}
service dict {
  unix_listener dict {
    mode = 0600
    user = vmail
  }
}
service imap-hibernate {
  unix_listener imap-hibernate {
    group = $default_internal_group
    mode = 0660
  }
}
service imap-login {
  process_min_avail = 10
  service_count = 0
  vsz_limit = 512 M
}
service imap {
  executable = imap
  process_limit = 3500
  unix_listener imap-master {
    user = $default_internal_user
  }
  vsz_limit = 2 G
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  process_min_avail = 0
  service_count = 1
  vsz_limit = 64 M
}
service managesieve {
  process_limit = 400
}
service pop3-login {
  process_min_avail = 3
  service_count = 0
  vsz_limit = 320 M
}
service pop3 {
  process_limit = 200
  vsz_limit = 320 M
}
service quota-warning {
  executable = script /etc/dovecot/quota_warning.sh
  unix_listener quota-warning {
    mode = 0666
    user = vmail
  }
  user = vmail
}
ssl_cert = </etc/ssl/private/multi.z-technics.cz.dovecot.pem
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
stats_writer_socket_path =
userdb {
  args = /etc/dovecot/dovecot-ldap.conf
  driver = ldap
}
protocol sieve {
  managesieve_implementation_string = Dovecot Pigeonhole
  managesieve_max_compile_errors = 5
}
protocol imap {

mail_plugins = quota imap_quota fts mailbox_alias imap_acl aclimap_zlib imap_sieve

}
protocol lda {
  mail_fsync = optimized
}
protocol lmtp {
  mail_fsync = optimized
  mail_plugins = quota sieve acl
}

auth_policy_server vs client_id and x-originating-ip

Reply via email to