hello Gunter,
recent james 3.x code (it may be available for older versions I haven't
checked) includes several useful pieces of information in a mapped
diagnostic context (MDC ) which is accessible by the logging system.
By default james will try to include values for all the following keys in
the MDC when the information is contextually available
public static final String HOST = "host";
public static final String IP = "ip";
public static final String PROTOCOL = "protocol";
public static final String USER = "user";
public static final String ACTION = "action";
public static final String SESSION_ID = "sessionId";
public static final String CHARSET = "charset";
you can change you logging configuration to include these fields for each
log lines. this should be done in the logback.xml file it should have an
"encoder" section under the "appender" blocks Here is what my console
appender encoder looks like
<encoder>
<pattern>%d{HH:mm:ss.SSS} [%-5level] - %t -
[p=%X{protocol},a=%X{action},s=%X{sessionId},u=%X{user}] - %logger{15} -
%msg%n%rEx</pattern>
<immediateFlush>false</immediateFlush>
</encoder>
you can see that I include the protocol, action, sessionId and user in all
my log lines when they are available. you can make it output the ip by
adding %X{ip} to your pattern
best regards,
jean
On Thu, Jun 8, 2023 at 11:58 AM Günter Paul <g...@guenterpaul.de> wrote:
> Hi David,
>
> I'm afraid fail2ban can't help.
>
> The tool evaluates the log file, right?
>
> The problem is as follows: First, the attacker's IP address is written in
> one line to the log file. And a second request could come almost at the
> same time, the IP address is also written to the log file. Then a
> non-existent user is written to the log file, unfortunately without
> specifying the IP address.
>
> An assignment to the attacker is no longer possible. I'm afraid the
> problem can only be solved within James himself.
>
> Example:
> INFO | jvm 1 | 2023/06/07 16:49:55 | 07-Jun-2023 16:49:55.869 INFO
> [smtpserver-io-1]
> org.apache.james.protocols.netty.BasicChannelInboundHandler.channelActive:103
> - Connection established from 59.2.248.84
> INFO | jvm 1 | 2023/06/07 16:49:55 | 07-Jun-2023 16:49:55.901 INFO
> [smtpserver-io-1]
> org.apache.james.protocols.netty.BasicChannelInboundHandler.channelActive:103
> - Connection established from 58.12.250.90
> INFO | jvm 1 | 2023/06/07 16:49:59 | 07-Jun-2023 16:49:59.761 INFO
> [smtpserver-io-1]
> org.apache.james.protocols.smtp.core.fastfail.AbstractValidRcptHandler.reject:61
> - Rejected message. Unknown user: b...@domaine.de
> INFO | jvm 1 | 2023/06/07 16:49:59 | 07-Jun-2023 16:49:59.761 INFO
> [smtpserver-io-1]
> org.apache.james.protocols.smtp.core.log.HookResultLogger.onHookResult:45 -
> org.apache.james.smtpserver.fastfail.ValidRcptHandler: result= (DENY
> CONNECTED)
>
>
> > Günter Paul <g...@guenterpaul.de> hat am 07.06.2023 17:24 CEST
> geschrieben:
> >
> >
> > Thanks David. You're probably right, I'll check fail2ban. At the oter
> sinde: regex is not my friend though.
> >
> > BW Günter
> >
> > > David Matthews <m...@dmatthews.org.invalid> hat am 07.06.2023 16:40
> CEST geschrieben:
> > >
> > >
> > > >Hello David,
> > > >
> > > >thanks for your information. Maybe fail2ban is a solution. I would
> prefer to solve the problem with board funds from James.
> > > >
> > > With fail2ban, once you come up with a working regex, you're solving
> the problem at a pre James level - in affect you would be operating an
> automatic and dynamic firewall block.
> > >
> > > I think that's a deal more efficient than anything James or any other
> mail exchanger can do.
> > >
> > > --
> > > David Matthews
> > > m...@dmatthews.org
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
> > > For additional commands, e-mail: server-user-h...@james.apache.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
> > For additional commands, e-mail: server-user-h...@james.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
> For additional commands, e-mail: server-user-h...@james.apache.org
>
>
