Linux – Dovecot – Log All IMAP Commands

dovecotlinuxlogging

I have Dovecot 2.2.27 running successfully on Debian Stretch. I have some suspicious activity on my server and I want to log ALL raw IMAP communications sent/received by my server. Here is a .conf file in /etc/dovecot/conf.d/

service imap-login {
  executable = imap-login -R rawlogs
}

(Source: https://wiki.dovecot.org/Debugging/Rawlog )

Rawlog is recording when a user logs into my IMAP server (Pre-login rawlog). But that's when it stops. It doesn't record any communication after that. I want all IMAP communication received/sent for a connection (logging in, checking mailbox, downloading new mail, etc.)

Here's an example .in file:

1523905191.015557 1 LOGIN ***EMAIL ADDRESS HERE*** ***PASSWORD HERE***

And the .out file:

1523905190.806295 * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

I added the following code to the afore-mentioned .conf file for post-login logging:

service imap {
  # tell imap to do post-login lookup using a socket called "imap-postlogin"
  executable = imap imap-postlogin
}

# The service name below doesn't actually matter.
service imap-postlogin {
  # all post-login scripts are executed via script-login binary
  executable = script-login /usr/lib/dovecot/rawlog

  # the script process runs as the user specified here (v2.0.14+):
#  user = $default_internal_user
  user = pksml
  # this UNIX socket listener must use the same name as given to imap executable
  unix_listener imap-postlogin {
  }
}

(Source: https://wiki.dovecot.org/PostLoginScripting )

It made no difference. Logging still only exists for authentication and nothing further, even when I'm checking the mail account. Am I doing something wrong, or is this not a capability of Dovecot? Thanks.

PS I have reloaded the Dovecot service after making .conf file changes.

PS #2: Mail users are virtual users, not real Linux system users

EDIT – Current .conf file:

import_environment = $import_environment DEBUG=1

service imap-login {
  executable = imap-login -R rawlogs
}

protocol imap {
  rawlog_dir = /var/run/dovecot/login/rawlogs
}

service imap {
  executable = imap imap-postlogin
}

service imap-postlogin {
  executable = script-login -d /usr/lib/dovecot/rawlog -I
  unix_listener imap-postlogin {
  }
}

Best Answer

I finally achieved logging the IMAP commands.

BTW, I set up my server initially using the tutorial at https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mysql/

Here are the relevant dovecot config commands for rawlog:

mail_location = maildir:/var/mail/vhosts/%d/%n
userdb {
  args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
  driver = static
}
service imap-login {
  executable = imap-login -R rawlogs
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service imap-postlogin {
  executable = script-login -d rawlog
}
service imap {
  executable = imap imap-postlogin
}
protocol imap {
  rawlog_dir = /var/run/dovecot/login/rawlogs
}

You get .in and .out files for authentication stored in /var/run/dovecot/login/rawlogs (rawlog_dir).

Currently the rawlog_dir directory has 777 permissions.

After authentication occurs, the IMAP communication transmitted to/from the server for a particular user is located in the user's home folder in a subfolder named dovecot.rawlog (that you must create). For example in my setup, I created the folder /var/mail/vhosts/domain.com/user/dovecot.rawlog. This folder has 777 permissions and is owned by root:vmail.

Note: In these .in and .out files you will see all IMAP information transmitted, including emails in plain text. Also note that this folder will quickly fill up with files. Keep an eye on it.

Concluding thoughts: The most likely use for raw logging is for debugging or understanding the IMAP protocol. It's not a good idea to leave it turned on for months on end!

Related Topic