Rawlog

Dovecot supports logging IMAP/POP3/LMTP/SMTP(submission) traffic (also TLS/SSL encrypted). There are several possibilities for this:

  1. rawlog_dir setting.

    New in version v2.2.26.

  2. Pre-login *-login process via -R parameter. See below.

    New in version v2.3.2.

  3. For proxying (in *-login processes), use login_proxy_rawlog_dir.

    New in version v2.3.17.

  4. For lmtp, you need to use lmtp_rawlog_dir and lmtp_proxy_rawlog_dir settings.

    New in version v2.3.2.

  5. For submission, you need to use rawlog_dir and submission_relay_rawlog_dir settings.

  6. Using rawlog binary, which is executed as post-login script. This is the legacy method, which shouldn’t be necessary anymore. See below.

Pre-login rawlog

New in version v2.3.2.

The pre-login rawlog is used before IMAP, POP3, Submission or ManageSieve client logs into the post-login process. Note that LMTP and doveadm protocols don’t have a pre-login process.

Note

SSL/TLS sessions are currently not decrypted to rawlogs.

You can enable pre-login rawlog for all users by telling the login processes to log to a rawlog directory.

Example:

service imap-login {
  executable = imap-login -R rawlogs
}

This attempts to write the rawlogs under $base_dir/login/rawlogs directory. You need to create it first with enough write permissions.

Example:

mkdir /var/run/dovecot/login/rawlogs
chown dovenull /var/run/dovecot/login/rawlogs
chmod 0700 /var/run/dovecot/login/rawlogs

rawlog binary

This is the legacy method. rawlog_dir setting is preferred nowadays.

This works by checking if dovecot.rawlog/ directory exists in the logged in user’s home directory, and writing the traffic to yyyymmdd-HHMMSS-pid.in and .out files. Each connection gets their own in/out files. Rawlog will simply skip users who don’t have the dovecot.rawlog/ directory and the performance impact for those users is minimal.

Home directory

Note

For rawlog binary to work, your userdb must have returned a home directory for the user.

Important

The home directory must be returned by userdb, mail_home setting won’t work. Verify that doveadm user -u user@example.com (with -u parameter) returns the home directory, for example:

% doveadm user -u user@example.com
userdb: user@example.com
   user      : user@example.com
   uid       : 1000
   gid       : 1000
   home      : /home/user@example.com

In above configuration rawlog would expect to find /home/user@example.com/dovecot.rawlog/ directory writable by uid 1000.

If your userdb can’t return a home directory directly, with v2.1+ you can add:

  userdb {
     # ...
     default_fields = home=/home/%u
     # or temporarily even e.g. default_fields = home=/tmp/temp-home
}

You can also set DEBUG environment to have rawlog log an info message why it’s not doing anything:

import_environment=$import_environment DEBUG=1

Configuration

To enable rawlog binary, use post-login scripting:

service imap {
  executable = imap postlogin
}
service pop3 {
  executable = pop3 postlogin
}

service postlogin {
  executable = script-login -d rawlog
  unix_listener postlogin {
 }
}

You can also give parameters to rawlog:

  • -b: Write IP packet boundaries (or whatever read() sees anyway) to the log files. The packet is written between <<< and >>>.

  • -t: Log a microsecond resolution timestamp at the beginning of each line.

  • -I: Include IP address in the filename

  • -f in: Log only to *.in files

  • -f out: Log only to *.out files