We have been having problems with compromised accounts used for spamming,
and I needed to track user logins against client ip address.
The remote address turns up in the Message-ID, e.g.
<port>.<ipv4a.b.c.d>.nnnn.squirrel...
and in Apache access_log, but those don't give the username.
imapd syslog gives the username, but lists 127.0.0.1 as the address.
Correlating timestamps was painful, so I hacked squirrelmail.
I'm sure there's a better, more elegant way, probably already done by
someone - maybe "Squirrel Logger" plugin which I hadn't found when I
wrote this. But for what it's worth:
patch aginst squirrelmail-1.4.8-5.el4 (Latest RedHat Enterprise 4
package) - generates a simple greppable file of logins and logouts :
--- /usr/share/squirrelmail/src/redirect.php.orig 2009-01-20
21:21:31.000000000 -0800
+++ /usr/share/squirrelmail/src/redirect.php 2009-10-23
16:56:03.000000000 -0700
@@ -99,7 +99,11 @@
sqsession_register ($username, 'username');
sqsetcookie('key', $key, 0, $base_uri);
do_hook ('login_verified');
-
+ if ($logfile = fopen('/var/log/squirrelmail/session.log','a+') ) {
+ $logline = date('Y-m-d H:i:s ') . $_SERVER['REMOTE_ADDR'] . ' login ' . $username . "\n";
+ fputs($logfile, $logline, strlen($logline) );
+ fclose($logfile);
+ }
}
/* Set the login variables. */
--- /usr/share/squirrelmail/src/signout.php.orig 2006-07-30
12:37:38.000000000 -0700
+++ /usr/share/squirrelmail/src/signout.php 2009-10-23
18:10:51.000000000 -0700
@@ -43,6 +43,11 @@
}
do_hook('logout');
+if ($logfile = fopen('/var/log/squirrelmail/session.log','a+') ) {
+ $logline = date('Y-m-d H:i:s ') . $_SERVER['REMOTE_ADDR'] . ' logout ' . $username . "\n";
+ fputs($logfile, $logline, strlen($logline) );
+ fclose($logfile);
+}
sqsession_destroy();
---------------------
/var/log/squirrelmail needs to exist, writable by apache
(PHP is not my choice of scripting language, so this is way crude ...)
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
