Using RoundCube it is not showing correctly the remote ip into my server mail logs.
Here is mail log when I am connecting through RoundCube:
Jun 23 17:54:57 server dovecot: imap-login: Login: user=<user.one-mydomain.com>, method=PLAIN, rip=::1, lip=::1, mpid=4645, secured, session=<RwrUPPM17gAAAAAAAAAAAAAAAAAAAAAB>
Here is mail log when I am connecting through Microsoft Outlook:
Jun 23 12:43:18 server dovecot: pop3-login: Login: user=<user.one-mydomain.com>, method=PLAIN, rip=198.423.11.235, lip=123.174.21.14, mpid=28700, session=<wgZN4u41MQC8G7Lr>
As you can see using RoundCube is like being on the server, rip and lip has the same value ::1. Is it a way to record correctly the rip address instead of locahost ::1 into mail logs? In this way being able to determine if it is a normal user behavior or an attempt to break it? Even I can use Fail2Ban, I would like to have a prove from where IP address did someone connected.
Thank you.
You can use this plugin:
https://plugins.roundcube.net/packages/cor/dovecot-ident
I appreciate for your reply. I will test it and come back with some thoughts.
If someone is interested to get this working here are the steps.
1) First go to https://github.com/corbosman/dovecot_ident and download the zip (3 files inside)
2) Go to your /home/user_name/public_html/roundcube_directory/plugins and copy there from archive the folder named dovecot_ident-master. Then rename it to dovecot_ident.
3) Edit /home/user_name/public_html/roundcube_directory/config/config.inc.php and by the end of the file add this plugin in the list as follows:
// List of active plugins (in plugins/ directory)
$config['plugins'] = array('virtuser_file',
'archive',
'dovecot_ident',
'zipdownload',
);
4) If your webserver is behind a proxy server you have to know which PHP variable keeps visitor's real IP address. In most of the cases it is X_FORWARDED_FOR. Now go to /home/user_name/public_html/roundcube_directory/plugins/dovecot_ident/ and edit the file named dovecot_ident.php replacing REMOTE_ADDR with that PHP variabile which keeps your visitor's real IP address. Here is the code:
<?php
/**
* Plugin to add imap id
*
* @version 1.0
* @author Cor Bosman
*/
class dovecot_ident extends rcube_plugin
{
function init()
{
$this->add_hook('storage_connect', array($this, 'add_ident'));
}
function add_ident($args)
{
$args['ident'] = $args['ident'] ? array_merge($args['ident'], array('x-originating-ip' => $_SERVER['REMOTE_ADDR']))
: array('x-originating-ip' => $_SERVER['REMOTE_ADDR']);
return $args;
}
}
?>
5) Edit /etc/dovecot/dovecot.conf and add
login_trusted_networks = 127.0.0.1 ::1
Restart dovecot service.
Reload Roundcube page and monitor /var/log/mail.log file with watch command in Terminal. You should see now the correct rip value set to your visitor's IP address.
That's it, happy using RoundCube!
Dovecot also supports HAproxy style headers in the TCP stream, to identify the correct remote and local IPs for the initial connection. You will need to have a separate IMAP listener configured in dovecot, for use with connections which inject HAproxy style headers in the first TCP packet.
I just this week submitted a pull request to Roundcube to support this proxy protocol. See #5335
Example dovecot configuration:
haproxy_trusted_networks = 127.0.0.1
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imap_haproxy {
port = 144
haproxy = yes
}
}
In my case I am using Pound as a reverse proxy but your observation is fine, I will dig if I can find something about this combination Pound - Dovecot.
If you have the correct remote IP already working between Pound and your web server (e.g. REMOTE_ADDR or X-FORWARDED-FOR), that is all that is required for the HAproxy protocol Roundcube patch.
Even though Roundcube now has its own brute force mitigation built-in, that feature is on a per-username basis only. Using the HAproxy protocol to relay the external IP will also allow Dovecot to slow down brute force attempts on a per-IP basis. Dovecot will increasingly delay authentication attempts from the same IP using its built-in anvil service. The downside to this is that each login attempt will stall the IMAP connection between the webmail and Dovecot, which may itself be exploited as a form of DoS.
When using the "dovecot_ident" plugin you also need to specify the webmail host IP in "login_trusted_networks", which will completely bypass the Dovecot authentication penalty. There is still a default delay of 2 seconds associated with each failed login attempt, but the risk of a DoS is less with 2 second delay, as compared with 17 seconds (after 4+ failed login attempts).
I appreciate for your information. I will close this issue right away.
This is great, however, regarding the quantity of the code to add (one line), I think this should be added in the core package.
has this been added to the core yet? corbosman/dovecot_ident isn't even listed in the roundcube plugins repository
Most helpful comment
If someone is interested to get this working here are the steps.
1) First go to https://github.com/corbosman/dovecot_ident and download the zip (3 files inside)
2) Go to your /home/user_name/public_html/roundcube_directory/plugins and copy there from archive the folder named dovecot_ident-master. Then rename it to dovecot_ident.
3) Edit /home/user_name/public_html/roundcube_directory/config/config.inc.php and by the end of the file add this plugin in the list as follows:
4) If your webserver is behind a proxy server you have to know which PHP variable keeps visitor's real IP address. In most of the cases it is X_FORWARDED_FOR. Now go to /home/user_name/public_html/roundcube_directory/plugins/dovecot_ident/ and edit the file named dovecot_ident.php replacing REMOTE_ADDR with that PHP variabile which keeps your visitor's real IP address. Here is the code:
5) Edit /etc/dovecot/dovecot.conf and add
Restart dovecot service.
Reload Roundcube page and monitor /var/log/mail.log file with watch command in Terminal. You should see now the correct rip value set to your visitor's IP address.
That's it, happy using RoundCube!