Post-login scripting

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Post-login scripting

j.emerlik
Hi ,
I would like to save every authentication IP addresses to database, for
IMAP and POP3 everything working correct but I don't know how to configure
Post-login script for SMTP AUTH.

Can you help me ?

Regards,
Jack
Reply | Threaded
Open this post in threaded view
|

Re: Post-login scripting

Gedalya-2
On 10/20/2017 03:46 PM, j.emerlik wrote:
> Hi ,
> I would like to save every authentication IP addresses to database, for
> IMAP and POP3 everything working correct but I don't know how to configure
> Post-login script for SMTP AUTH.
>
> Can you help me ?
>
> Regards,
> Jack

It would probably be possible to do this at the MTA.
I do it in postfix + mysql.
What is your setup like?
Reply | Threaded
Open this post in threaded view
|

Re: Post-login scripting

Egbert Jan van den Bussche
In reply to this post by j.emerlik
Op 20-10-2017 om 15:46 schreef j.emerlik:

> Hi ,
> I would like to save every authentication IP addresses to database, for
> IMAP and POP3 everything working correct but I don't know how to configure
> Post-login script for SMTP AUTH.
>
> Can you help me ?
>
> Regards,
> Jack
>
This is how I log te last time someone logged in:

service imap {
.
.
.
  executable = imap imap-postlogin
}

service imap-postlogin {
  executable = script-login /usr/local/bin/imap-wrapper.sh
  user = vmail
  unix_listener imap-postlogin {
  }
}

And for pop3 users:

service pop3 {
.
.
.
  executable = pop3 pop3-postlogin
}

service pop3-postlogin {
  executable = script-login /usr/local/bin/pop3-wrapper.sh
  user = vmail
  unix_listener pop3-postlogin {
  }
}

Where imap_wrapper.sh is:
#! /bin/sh
touch /disk/mail/login/imap/$USER
touch /disk/mail/login/$USER
exec "$@"

And for pop3_wrapper.sh:
#! /bin/sh
touch /disk/mail/login/pop3/$USER
touch /disk/mail/login/$USER
exec "$@"

This gives me empty files in <path>/login, /login/imap and /login/pop3
with the username as filename. The timestamp of the filwe is the lat
login time.

HTH
Egbert Jan, NL
Reply | Threaded
Open this post in threaded view
|

Re: Post-login scripting

Gedalya-2
In reply to this post by Gedalya-2
I use an access policy server which mostly does rate-limiting and also
writes to a database.
It's written in perl.
If all you want to do is to write some records for every connection then
the script would be rather simple.
You just need to put "check_policy_service unix:...." in the right
place, presumably in smtpd_client_restrictions, I guess if you put it
before permit_sasl_authenticated it would still have the auth details,
due to delayed evaluation.
Reply | Threaded
Open this post in threaded view
|

Re: Post-login scripting

j.emerlik
Thx, seems to be a good idea.
I understand that Dovecot SASL does not support the Post-Login scripts.

2017-10-20 16:36 GMT+02:00 Gedalya <[hidden email]>:

> I use an access policy server which mostly does rate-limiting and also
> writes to a database.
> It's written in perl.
> If all you want to do is to write some records for every connection then
> the script would be rather simple.
> You just need to put "check_policy_service unix:...." in the right place,
> presumably in smtpd_client_restrictions, I guess if you put it before
> permit_sasl_authenticated it would still have the auth details, due to
> delayed evaluation.
>
Reply | Threaded
Open this post in threaded view
|

Re: Post-login scripting

Gedalya-2
On 10/20/2017 04:50 PM, j.emerlik wrote:

> I understand that Dovecot SASL does not support the Post-Login scripts.
Yea, perhaps not. The concept it follows for POP3/IMAP is a wrapper for
the executable launched to perform the actual service, and there is no
such service when dovecot is only a SASL auth server for an external
program.

On the other hand a postfix policy server can let you record a lot of
detail about SMTP activity: messages sent, sender/recipient addresses,
and client addresses of course.

I might be able to help with putting such a script together, time
permitting :-)
Reply | Threaded
Open this post in threaded view
|

Re: Post-login scripting

j.emerlik
Which one policy server are you using ?
Someone from that list : http://www.postfix.org/addon.html

2017-10-20 16:53 GMT+02:00 Gedalya <[hidden email]>:

> On 10/20/2017 04:50 PM, j.emerlik wrote:
>
> I understand that Dovecot SASL does not support the Post-Login scripts.
>>
> Yea, perhaps not. The concept it follows for POP3/IMAP is a wrapper for
> the executable launched to perform the actual service, and there is no such
> service when dovecot is only a SASL auth server for an external program.
>
> On the other hand a postfix policy server can let you record a lot of
> detail about SMTP activity: messages sent, sender/recipient addresses, and
> client addresses of course.
>
> I might be able to help with putting such a script together, time
> permitting :-)
>
Reply | Threaded
Open this post in threaded view
|

Re: Post-login scripting

Gedalya-2
No, it's entirely my own.
If all you want to do is write client IP addresses to a database then your script will probably fit in 20 lines of code or so.


On 10/20/2017 05:04 PM, j.emerlik wrote:

> Which one policy server are you using ?
> Someone from that list : http://www.postfix.org/addon.html
>
> 2017-10-20 16:53 GMT+02:00 Gedalya <[hidden email]>:
>
>> On 10/20/2017 04:50 PM, j.emerlik wrote:
>>
>> I understand that Dovecot SASL does not support the Post-Login scripts.
>> Yea, perhaps not. The concept it follows for POP3/IMAP is a wrapper for
>> the executable launched to perform the actual service, and there is no such
>> service when dovecot is only a SASL auth server for an external program.
>>
>> On the other hand a postfix policy server can let you record a lot of
>> detail about SMTP activity: messages sent, sender/recipient addresses, and
>> client addresses of course.
>>
>> I might be able to help with putting such a script together, time
>> permitting :-)
>>
Reply | Threaded
Open this post in threaded view
|

Re: Post-login scripting

Aki Tuomi-2
Dovecot auth supports auth_policy_server (v2.2.27+, https://wiki.dovecot.org/Authentication/Policy), which you could use for this. There is also https://github.com/PowerDNS/weakforced you can use as policy server, which can also do ratelimiting and such. It also integrates with postfix.

Aki

> On October 20, 2017 at 6:12 PM Gedalya <[hidden email]> wrote:
>
>
> No, it's entirely my own.
> If all you want to do is write client IP addresses to a database then your script will probably fit in 20 lines of code or so.
>
>
> On 10/20/2017 05:04 PM, j.emerlik wrote:
> > Which one policy server are you using ?
> > Someone from that list : http://www.postfix.org/addon.html
> >
> > 2017-10-20 16:53 GMT+02:00 Gedalya <[hidden email]>:
> >
> >> On 10/20/2017 04:50 PM, j.emerlik wrote:
> >>
> >> I understand that Dovecot SASL does not support the Post-Login scripts.
> >> Yea, perhaps not. The concept it follows for POP3/IMAP is a wrapper for
> >> the executable launched to perform the actual service, and there is no such
> >> service when dovecot is only a SASL auth server for an external program.
> >>
> >> On the other hand a postfix policy server can let you record a lot of
> >> detail about SMTP activity: messages sent, sender/recipient addresses, and
> >> client addresses of course.
> >>
> >> I might be able to help with putting such a script together, time
> >> permitting :-)
> >>
Reply | Threaded
Open this post in threaded view
|

Re: Post-login scripting

Gedalya-2
Aha. Looks pretty cool, and it's really nice that it supports HTTP.
On the other hand if I'm rate limiting the number of messages sent = number of times a client said RCPT TO, I guess it still has to be a postfix policy server?
Anyway, thanks for pointing this out, I'm sure I'll use it :-)


On 10/21/2017 02:16 PM, Aki Tuomi wrote:

> Dovecot auth supports auth_policy_server (v2.2.27+, https://wiki.dovecot.org/Authentication/Policy), which you could use for this. There is also https://github.com/PowerDNS/weakforced you can use as policy server, which can also do ratelimiting and such. It also integrates with postfix.
>
> Aki
>
>> On October 20, 2017 at 6:12 PM Gedalya <[hidden email]> wrote:
>>
>>
>> No, it's entirely my own.
>> If all you want to do is write client IP addresses to a database then your script will probably fit in 20 lines of code or so.
>>
>>
>> On 10/20/2017 05:04 PM, j.emerlik wrote:
>>> Which one policy server are you using ?
>>> Someone from that list : http://www.postfix.org/addon.html
>>>
>>> 2017-10-20 16:53 GMT+02:00 Gedalya <[hidden email]>:
>>>
>>>> On 10/20/2017 04:50 PM, j.emerlik wrote:
>>>>
>>>> I understand that Dovecot SASL does not support the Post-Login scripts.
>>>> Yea, perhaps not. The concept it follows for POP3/IMAP is a wrapper for
>>>> the executable launched to perform the actual service, and there is no such
>>>> service when dovecot is only a SASL auth server for an external program.
>>>>
>>>> On the other hand a postfix policy server can let you record a lot of
>>>> detail about SMTP activity: messages sent, sender/recipient addresses, and
>>>> client addresses of course.
>>>>
>>>> I might be able to help with putting such a script together, time
>>>> permitting :-)
>>>>
Reply | Threaded
Open this post in threaded view
|

Re: Post-login scripting

j.emerlik
Thx for every suggestions.
Regards
Jack

Sent from my mobile device please excuse.

21.10.2017 3:45 PM "Gedalya" <[hidden email]> napisaƂ(a):

> Aha. Looks pretty cool, and it's really nice that it supports HTTP.
> On the other hand if I'm rate limiting the number of messages sent =
> number of times a client said RCPT TO, I guess it still has to be a postfix
> policy server?
> Anyway, thanks for pointing this out, I'm sure I'll use it :-)
>
>
> On 10/21/2017 02:16 PM, Aki Tuomi wrote:
> > Dovecot auth supports auth_policy_server (v2.2.27+,
> https://wiki.dovecot.org/Authentication/Policy), which you could use for
> this. There is also https://github.com/PowerDNS/weakforced you can use as
> policy server, which can also do ratelimiting and such. It also integrates
> with postfix.
> >
> > Aki
> >
> >> On October 20, 2017 at 6:12 PM Gedalya <[hidden email]> wrote:
> >>
> >>
> >> No, it's entirely my own.
> >> If all you want to do is write client IP addresses to a database then
> your script will probably fit in 20 lines of code or so.
> >>
> >>
> >> On 10/20/2017 05:04 PM, j.emerlik wrote:
> >>> Which one policy server are you using ?
> >>> Someone from that list : http://www.postfix.org/addon.html
> >>>
> >>> 2017-10-20 16:53 GMT+02:00 Gedalya <[hidden email]>:
> >>>
> >>>> On 10/20/2017 04:50 PM, j.emerlik wrote:
> >>>>
> >>>> I understand that Dovecot SASL does not support the Post-Login
> scripts.
> >>>> Yea, perhaps not. The concept it follows for POP3/IMAP is a wrapper
> for
> >>>> the executable launched to perform the actual service, and there is
> no such
> >>>> service when dovecot is only a SASL auth server for an external
> program.
> >>>>
> >>>> On the other hand a postfix policy server can let you record a lot of
> >>>> detail about SMTP activity: messages sent, sender/recipient
> addresses, and
> >>>> client addresses of course.
> >>>>
> >>>> I might be able to help with putting such a script together, time
> >>>> permitting :-)
> >>>>
>
Reply | Threaded
Open this post in threaded view
|

Re: Post-login scripting

Simone Lazzaris
In reply to this post by Gedalya-2
In data sabato 21 ottobre 2017 15:44:52 CEST, Gedalya ha scritto:
> Aha. Looks pretty cool, and it's really nice that it supports HTTP.
> On the other hand if I'm rate limiting the number of messages sent = number
> of times a client said RCPT TO, I guess it still has to be a postfix policy
> server? Anyway, thanks for pointing this out, I'm sure I'll use it :-)
>
Very interesting indeed; now I'm using a post-login script to track the IP of the clients, but
I'll evalutate the policy as it seems cleaner.

For a simple policy server to use with postfix, you can check out my simple daemon:

https://github.com/SimoneLazzaris/polka

It's written in go, very simple, efficient but effective. We're using in production with zero
issues.


*Simone Lazzaris*
*Qcom S.p.A.*
[hidden email][1] | www.qcom.it[2]
* LinkedIn[3]* | *Facebook[4]*
[5]






--------
[1] mailto:[hidden email]
[2] https://www.qcom.it
[3] https://www.linkedin.com/company/qcom-spa
[4] http://www.facebook.com/qcomspa
[5] https://www.qcom.it/includes/email-banner.gif