Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: Texaopian on November 07, 2006, 01:24:15 AM
-
Hello,
First, I have a SME 7.0 in server-only mode with a behind a netgear router. I am trying to check user attempts to "check email" over the past couple of weeks. Access, of course, would be via secure pop3s, secure imap and/or webmail. I have gone through the logs (/var/log) and have looked at 'messages'. I actually need info in its format (time /date, username and IP address).
Login success for user@domain.com [xxx.xxx.xxx.xxx] to {localhost:143}
While I can find some type of logs for IMAPs (imaps/current) & POP3s (pop3s/current), I don't know how to really convert it into a time/date (its a message id?) and a user name. I do see IP addresses. Am I looking in the right place? If so, how do I decipher the logs?
Thanks in advance
Joe
-
Many of the SME log files use an alternate timestamp that looks something like this: @4000000045298d8c0bd1e6dc
You can convert the time in these log files to a human-readable format using "tai64nlocal", something like this:
cat /var/log/imaps/current | tai64nlocal
-
Thanks mmccarn! Thats solves one part (the time/date stamp). For IMAPs (imaps/current) & POP3s (pop3s/current), is there a way to see the user/username that was attempting to login? I can see the IP (and now) the time/date. I went so far as downloading the whole var/log directory and checking each log. I think I am stumped.
Thanks again,
Joe
-
CJBarrington
Use server manager view log files panel.
They are in date format and can be filtered on words etc or by a highlight.
Look at the various mail related logs.
Search these forums on collapse_qpsmtpd_conn for ways to make qpsmtpd logs more readable
-
CJBarrington
Use server manager view log files panel.
They are in date format and can be filtered on words etc or by a highlight.
Look at the various mail related logs.
Search these forums on collapse_qpsmtpd_conn for ways to make qpsmtpd logs more readable
Ray,
Thanks for the lead. I actually have been using the server-manager/view logs to get initial data. Before, mmccarn gave me a great tidbit on converting the time/date stamp, to something I could read. The problem that I am having is trying to find out what/which user was attempting to (or did) check mail. I now can see the time, date and the IP that made the attempt, but I do not know how to find out which user made the attempt.
Here is an example of what I am talking about:
pop3s/imap/imaps current:
2006-11-03 06:56:26.764990500 tcpsvd: info: status 1/40
2006-11-03 06:56:26.765000500 tcpsvd: info: pid 6947 from 111.222.333.444
2006-11-03 06:56:26.861486500 tcpsvd: info: concurrency 6947 111.222.333.444 1/4
2006-11-03 06:56:26.861495500 tcpsvd: info: start 6947 0:192.168.0.1 ::111.222.333.444:49949 ./peers/0
2006-11-03 06:56:37.855616500 sslio[6947]: info: bytes in: 2268
2006-11-03 06:56:37.855625500 sslio[6947]: info: bytes ou: 651681
2006-11-03 06:56:37.856125500 tcpsvd: info: end 6947 exit 1
2006-11-03 06:56:37.856130500 tcpsvd: info: status 0/40
Is there somewhere else that I could tell what account ip 111.222.333.444 was trying to check?
CJBarrington
Search these forums on collapse_qpsmtpd_conn for ways to make qpsmtpd logs more readable
I will admit this may be a stupid question, but if I am trying to check if an account was checking their email in the logs, wouldn't checking the smtp logs only tell me about attempts to send mail? I have been going down the path of checking webmail/pop3s/imaps only... I would be grateful for any help you could give me in understanding that.
Thanks!
Joe
-
Many of the SME log files use an alternate timestamp that looks something like this: @4000000045298d8c0bd1e6dc
You can convert the time in these log files to a human-readable format using "tai64nlocal", something like this:
cat /var/log/imaps/current | tai64nlocal
Or just use the logfile viewer in the server manager.
-
Is there somewhere else that I could tell what account ip 111.222.333.444 was trying to check?
No.
If you do "ps fax" while the user is connected, then you'll see a line like this:
...
24964 ? S 0:27 | \_ /usr/libexec/dovecot/imap
...
Then 'ls -l /proc/24964/cwd' will tell you which user is connected.
-
Is there somewhere else that I could tell what account ip 111.222.333.444 was trying to check?
No.
If you do "ps fax" while the user is connected, then you'll see a line like this:
...
24964 ? S 0:27 | \_ /usr/libexec/dovecot/imap
...
Then 'ls -l /proc/24964/cwd' will tell you which user is connected.
Charlie,
Thanks for all of your help and input. Is there any way to add or 'turn-on' some sort of logging at this level? Maybe a third-party add on? I've been looking, but (if its not too much trouble) maybe you could suggest a direction? I have been goofing with SELinux for a few years.. I am pretty sure that *it* could do it, but its a nightmare to setup.
Thanks!
CJB
-
I found this link by searching for pop3 logging in various qmail forums:
http://www.pson.org/qmail/
To use this method on SME you'd have to modify the existing /var/service/pop3s/run and create the wrapper script he describes.
In /var/service/pop3s/run, I think you'd have to change exec 2>&1
exec /usr/local/bin/softlimit -m 5000000 \
tcpsvd \
-v \
-i ./peers \
-c ${CONCURRENCYREMOTE:-40} \
-C ${PER_IP_INSTANCES:-4}:'421 per host concurrency limit reached\r\n' \
-l ${LOCALNAME:-0} \
${LISTENIP:-0} \
${PORT:-pop3s} \
sslio -vv -/ /service/imap/ssl -u stunnel -C imapd.pem \
/var/qmail/bin/qmail-popup $fqdn \
checkpassword /var/qmail/bin/qmail-pop3d Maildir
toexec 2>&1 7>&1
exec /usr/local/bin/softlimit -m 5000000 \
tcpsvd \
-v \
-i ./peers \
-c ${CONCURRENCYREMOTE:-40} \
-C ${PER_IP_INSTANCES:-4}:'421 per host concurrency limit reached\r\n' \
-l ${LOCALNAME:-0} \
${LISTENIP:-0} \
${PORT:-pop3s} \
sslio -vv -/ /service/imap/ssl -u stunnel -C imapd.pem \
/var/qmail/bin/qmail-popup $fqdn \
checkpassword \
/var/qmail/bin/qmail-pop3d-wrapper.sh \
/var/qmail/bin/qmail-pop3d Maildir
and create /var/qmail/bin/qmail-pop3d-wrapper.sh containing:#!/bin/sh
echo "qmail-pop3d: user $USER logged in from $TCPREMOTEIP:$TCPREMOTEPORT" >&7
$@
If I get a chance I'll try it out and let you know if it works.
-
To use this method on SME you'd have to modify the existing /var/service/pop3s/run and create the wrapper script he describes.
You should be able to use the same approach with imap.
-
Hi,
I need to change the way pop3 connections gets logged.
What I would like is to have the username and IP logged for all pop3 connections. Currently I can only see the source IP but not the mailbox/user who is trying to connect.
I followed this post and added the following to /var/service/pop3/run:
${PORT:-pop3} \
/var/qmail/bin/qmail-popup $fqdn \
checkpassword \
/var/qmail/bin/qmail-pop3d-wrapper.sh \
/var/qmail/bin/qmail-pop3d Maildir
And create the file /var/qmail/bin/qmail-pop3d-wrapper.sh
#!/bin/sh
echo "qmail-pop3d: user $USER logged in from $TCPREMOTEIP:$TCPREMOTEPORT" >&7
$@
After I restart the pop3d service, user can no longer log on to pop3 to download mail. It keeps asking for a password.
Has any one got this to work?
-
Did you notice that the first line of /var/service/pop3s/run is also changed?
Standard: exec 2>&1
Custom: exec 2>&1 7>&1
[edit]
I noticed that the above link to pson is dead. This page seems to contain similar information: http://www.qmailwiki.org/index.php/Qmail-tips
[/edit]
-
Hi,
I changed the first line in /var/service/pop3s/run to "exec 2>&1 7>&1"
But then I get the following error in my mail client (outlook)
'The connection to the server was interrupted. If the problem continues, contact your server administrator or ISP. The server responded: -ERR usage: popup hostname subprogram'
-
1) Are you attempting to modify the pop3 service, or the pop3s service?
2) After creating /var/qmail/bin/qmail-pop3d-wrapper.sh, did you make it executable using chmod +x /var/qmail/bin/qmail-pop3d-wrapper.sh?
-
After making the following changes to the pop3 service on my SME 7.4 server, I get the following data in /var/log/pop3/current after a successful login:
@4000000049d0b972303e4204 qmail-pop3d: user mmccarn logged in from 192.168.1.101:3407
1) Create qmail-pop3d-wrapper.sh:cd /var/qmail/bin
echo '#!/bin/sh
echo "qmail-pop3d: user $USER logged in from $TCPREMOTEIP:$TCPREMOTEPORT" >&7
$@
' > qmail-pop3d-wrapper.sh
chmod +x qmail-pop3d-wrapper.sh
2) modify /var/service/pop3/run as follows:
MOD1: exec 2>&1 ==> exec 2>&1 7>&1
MOD2: checkpassword /var/qmail/bin/qmail-pop3d Maildir ==>
checkpassword \
/var/qmail/bin/qmail-pop3d-wrapper.sh \
/var/qmail/bin/qmail-pop3d Maildir
-
Hi, mmccarn
I am trying to modify pop3 (sorry I made a typo in my previous post).
qmail-pop3d-wrapper.sh is exacutable
[root@mail ~]# ll /var/qmail/bin/qmail-pop3d-wrapper.sh
-rwxrwxrwx 1 root qmail 92 Mar 30 07:19 /var/qmail/bin/qmail-pop3d-wrapper.sh
And:
[root@mail ~]# cat /var/qmail/bin/qmail-pop3d-wrapper.sh
#!/bin/sh
echo "qmail-pop3d: user $USER logged in from $TCPREMOTEIP:$TCPREMOTEPORT" >&7
$@
My /var/service/pop3/run looks like this:
[root@mail ~]# cat /var/service/pop3/run
#!/bin/sh
hostname=$(/sbin/e-smith/config get SystemName)
domain=$(/sbin/e-smith/config get DomainName)
fqdn="$hostname.$domain"
#exec 2>&1
exec 2>&1 7>&1
# Generate ACL files in ./peers
./control/1
exec /usr/local/bin/softlimit -m 5000000 \
tcpsvd \
-v \
-i ./peers \
-c ${CONCURRENCYREMOTE:-200} \
-C ${PER_IP_INSTANCES:-4}:'421 per host concurrency limit reached\r\n' \
-l ${LOCALNAME:-0} \
${LISTENIP:-0} \
${PORT:-pop3} \
/var/qmail/bin/qmail-popup $fqdn \
#checkpassword /var/qmail/bin/qmail-pop3d Maildir \
checkpassword \
/var/qmail/bin/qmail-pop3d-wrapper.sh \
/var/qmail/bin/qmail-pop3d Maildir
After I made the cange I did this:
[root@mail ~]# /etc/init.d/pop3 restart
Restarting pop3 [ OK ]
Thank you for all your help.
-
...
/var/qmail/bin/qmail-popup $fqdn \
#checkpassword /var/qmail/bin/qmail-pop3d Maildir \
checkpassword \
...
I suspect you need to completely delete the line that says #checkpassword /var/qmail/bin/qmail-pop3d Maildir \ -- I don't think you can add a comment to the middle of a continued line like that...