Topic: HOWTO - Check log files for POP Login problems

[jfarschman]

Hey,

  We operate a small ISP with 2500 users on a SME server.  Anyone interested in how SME works with a large number of users let me know.

  One common problem we face is user and passwords.  Where do we look in the log files to find a line telling us that they have a username/password combo?  I'd like to just grep the appropriate file and find them.

  Thanks.... and yes, I did search for this, but got zero search returns on everything I searched.

[VatanM]

I have a similar (but not really) issue.  I have a SME server running for a scheol adn we done have the email setup.  They use an exernal subscriber.  But eversince I upgraded (it was a new install),  their old SME server 6.1.x to 7.2, they have been having issues with their email retrival uing POP.  Even though I am pretty sure that the upgrade has nothign to do with it, as I was the last one to touch the server, its my issue to resolve.  Any pointers?

[jfarschman]

Vatan,

  Well...  Users trying to POP or IMAP or SMTP from an outside (not local) address are probably going to has to use POPS, IMAPS and SSMTP.  Notice the "S" on each of these protocols.  The protocols are encrypted.  Take a look inside the Email general settings and you can see what your server is set to all for both "public" (local/inside) connections and "private" (wan/outside) connections.

  Then set up the clients to use these rules.

  6.x did not have these behaviors, if I remember correctly, unless you specifically loaded a contribs so this is probably your problem.

  Note also... when looking for connections in the log files for secure/encrypted connection they have their own special locations.

[mmccarn]

jfarschman:
I did some searching around for info on qmail-pop3d, checkpassword and qmail-popup.  There doesn't seem to be a good solution (in my opinion) to your issue. 

Your choices seem to be to patch and recompile qmail-pop3d and qmail-popup: http://software.maexotic.de/qmail/103-pop3log/

Or to modify /var/service/pop3d/run to use recordio to record the login conversation: http://qmailwiki.org/Qmail-tips (search for recordio - or scroll to the bottom)

It looks easier if you just want a log of who logged in successfully: http://www.qmail.org/top.html (search for qmail-pop3d-wrapper.sh)

[jfarschman]

Thanks.... I may try one of those... but more likely I'll change my methods of working with customers.

[jfarschman]

mmccarn,

  Again thanks for the help... I'm now trying to implement recordio to track the connections for diagnostic purposes, but I'm fairly well lost in the /var/service/qpsmtpd/run file.  Here is my approach:

  1.  Create a new service that should use recordio
       cp -Ra /var/service/qpsmtpd /var/service/qpsmtpd-recordio

  2.  Modify the qpsmtpd-recordio to use recordio

  3.  Cutover for logging
       svc -u /service/qpsmtpd-recordio ; svc -d /var/service/qpsmtpd

       and back after logging
       svc -u /var/service/qpsmtpd ; svc -d /service/qpsmtpd-recordio

PROBLEM - My /var/service/qpsmtpd/run file baffles me.  Any idea where to add in recordio or where I might start looking and learning how to do it.  The references I've found online all appear to be tcpserver-centric (tcpserver -u <UID> -g <GID> -v 0 25 recordio 2>/mylog/log qmail-smtpd)

Code: [Select]

[ -f ./runenv ] && . ./runenv

export QPSMTPD_CONFIG=/var/service/qpsmtpd/config

./control/1

exec /usr/local/bin/softlimit -d ${SOFTLIMIT:-25000000} -s ${SOFTLIMIT:-25000000} -l ${SOFTLIMIT:-25000000} \
  /usr/bin/qpsmtpd-forkserver \
        -u qpsmtpd \
        -l 0.0.0.0 \
        -p ${PORT:-25} \
        -c ${INSTANCES:-40} \
        -m ${INSTANCES_PER_IP:-5} \
        2>&1


[CharlieBrady]

PROBLEM - My /var/service/qpsmtpd/run file baffles me.  Any idea where to add in recordio or where I might start looking and learning how to do it.

You can't use recordio with qpsmtpd-forkserver. I don't know why you'd think you need to - qpsmtpd has very versatile and configurable logging.

[jfarschman]

Charlie,

  I need to find a user who is spamming. There is either a webserver on the inside network, or piece of malware sending email through the system.... which is allowed, because the inside is trusted.

  also... it looks sort of like the spammer is spoofing their email address each time they send.  I've been grep-ing the logs every which way to no avail.

[CharlieBrady]

There is either a webserver on the inside network, or piece of malware sending email through the system....

If so, qpsmtpd and/or sqpsmtpd logs will have recorded all the particulars.