Re: distinguishing 110 and 995 logins in syslog
As Dan noted, you should see the TLS session being logged. If it's useful, the log-login option could be expanded to be able to include additional details, such as TLS info. As always, patches are welcome. -- Randall Gellens Opinions are personal;facts are suspect;I speak for myself only -- Randomly-selected tag: --- The idea that Bill Gates has appeared like a knight in shining armor to lead all customers out of a mire of technological chaos neatly ignores the fact that it was he who, by peddling second-rate technology, led them into it in the first place.--Douglas Adams
Re: distinguishing 110 and 995 logins in syslog
Use different conf files - and specify different log files. See log-facility in config options or command line option -y Ken Jeff A. Earickson wrote: Randall, I have installed 4.0.7 on a Solaris 9 box, using Sun's StudioOne (version 8) compiler. So far, so good. I need to distinguish between SSL connections to port 995 and unencrypted logins to 110. Testing both via telnet myhost 110 user joeblow pass passwd list quit or openssl s_client -debug -connect myhost:995 (you will see SSL stuff go by, then) user joeblow pass passwd list quit both yield the same thing in my syslog: Apr 27 16:19:14 myhost popper[8519]: [ID 702911 local0.notice] (v4.0.7) \ POP login by user "joeblow" at (otherhost) [ip addr] [pop_log.c:244] No good. I would like the SSL sessions to say something like "SSL POP login" so I can start tracking who uses which. (I want to pull the plug on 110 unencrypted). Suggestions on how to do this? Jeff Earickson Colby College
Re: distinguishing 110 and 995 logins in syslog
* On 2005.04.27, in <[EMAIL PROTECTED]>, * "Jeff A. Earickson" <[EMAIL PROTECTED]> wrote: > > No good. I would like the SSL sessions to say something like > "SSL POP login" so I can start tracking who uses which. (I want > to pull the plug on 110 unencrypted). Suggestions on how to do this? We run qpopper from inetd under tcp_wrappers's tcpd, and use hosts.allow rules to specify how qpopper gets executed. There have been several reasons for not running it standalone, but one side benefit is the kind of logging you describe. We have several POP service hostnames on the same machine, and use both ports 110 and 995. The hosts.allow lines we use instruct tcpd to run (for example) "pop-%H-110" or "pop-%H-995", depending on the port being serviced. Tcpd expands "%H" to the hostname being connected to, so in the filesystem we have links to the qpopper executable named "pop--110" and "pop--995", for each hostname offering POP service. Since these executable links become the argv[0] for qpopper, that's what shows in the syslog. If this needs further explanation I can make up some examples. Our actual configuration is much more complicated than that, so a copy-paste isn't really going to be helpful. -- -D.[EMAIL PROTECTED]NSITUniversity of Chicago
Re: distinguishing 110 and 995 logins in syslog
At 04:34 PM 4/27/2005, Jeff A. Earickson wrote: Randall, I have installed 4.0.7 on a Solaris 9 box, using Sun's StudioOne (version 8) compiler. So far, so good. I need to distinguish between SSL connections to port 995 and unencrypted logins to 110. Testing both via telnet myhost 110 user joeblow pass passwd list quit or openssl s_client -debug -connect myhost:995 (you will see SSL stuff go by, then) user joeblow pass passwd list quit both yield the same thing in my syslog: Apr 27 16:19:14 myhost popper[8519]: [ID 702911 local0.notice] (v4.0.7) \ POP login by user "joeblow" at (otherhost) [ip addr] [pop_log.c:244] No good. I would like the SSL sessions to say something like "SSL POP login" so I can start tracking who uses which. (I want to pull the plug on 110 unencrypted). Suggestions on how to do this? If you're trying to understand who uses/doesn't use SSL, you should actually see logging for the start of the TLS session. Note that in the case of port 110, TLS is available via STARTTLS. So, I'd ask you if you want to know whether folks are using port 110 vs. 995, or do you really want to know who's using encryption and who's not? Dan
