This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.
Differences between revisions 8 and 22 (spanning 14 versions)
Revision 8 as of 2015-03-12 13:50:20
Size: 2516
Editor: TimoSirainen
Comment:
Revision 22 as of 2021-07-07 23:37:53
Size: 75
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= Rawlog =

Dovecot supports logging post-login IMAP/POP3 traffic (also TLS/SSL encrypted) using {{{rawlog}}} binary. It works by checking if {{{dovecot.rawlog/}}} directory exists in the logged in user's home directory, and writing the traffic to {{{yyyymmdd-HHMMSS-pid.in}}} and {{{.out}}} files. Each connection gets their own in/out files. Rawlog will simply skip users who don't have the {{{dovecot.rawlog/}}} directory and the performance impact for those users is minimal.

== Home directory ==

Note that for rawlog to work, your [[UserDatabase|userdb]] must have returned a home directory for the user. If you can't get rawlog to work, you should verify that the home directory really is where you expected it to be by setting {{{mail_debug=yes}}} and checking the logs. You should see a line such as:

{{{
Effective uid=1000, gid=1000, home=/home/user
}}}

In above configuration rawlog would expect to find {{{/home/user/dovecot.rawlog/}}} directory writable by uid 1000.

If your userdb doesn't have a home directory, with v2.1+ you can add:

{{{
userdb {
  # ...
  default_fields = home=/home/%u
  # or temporarily even e.g. default_fields = home=/tmp/temp-home
}
}}}

== Configuration ==

To enable rawlog, you must use rawlog as a [[PostLoginScripting|post-login script]]:

{{{
service imap {
  executable = imap postlogin
}
service pop3 {
  executable = pop3 postlogin
}

service postlogin {
  executable = script-login -d rawlog
  unix_listener postlogin {
  }
}
}}}

You can also give parameters to rawlog:

 * -b: Write IP packet boundaries (or whatever read() sees anyway) to the log files. The packet is written between <<< and >>>.
 * -t: Log a microsecond resolution timestamp at the beginning of each line.
 * -I: Include IP address in the filename (v2.2.16+)
 * v2.1 and newer:
  * -f in: Log only to *.in files
  * -f out: Log only to *.out files
 * v2.0 and older:
  * -i: Log only to *.in files
  * -o: Log only to *.out files

== Pre-login rawlog (v2.1+) ==

You can enable pre-login rawlog for all users by telling the login processes to log to a rawlog directory, for example:

{{{
service imap-login {
  executable = imap-login -R rawlogs
}
}}}

This tries to write the rawlogs under $base_dir/rawlogs directory. You need to create it first with enough write permissions, e.g.:

{{{
mkdir /var/run/dovecot/login/rawlogs
chown dovenull /var/run/dovecot/login/rawlogs
chmod 0700 /var/run/dovecot/login/rawlogs
}}}
Moved to https://doc.dovecot.org/admin_manual/debugging/debugging_rawlog/

None: Debugging/Rawlog (last edited 2021-07-07 23:37:53 by MichaelSlusarz)