iRule to log POP3/IMAP user

Question

Hello everyone,&nbsp;
Since i'm new with iRules, could you please advice me how to log username/user's email address from POP3 and IMAP sessions.&nbsp;
The goal is to move users to go through POP3/IMAP over SSL, however, prior to do so, we would like to identify users who still use un-encrypted connections and reduce impact for the production.&nbsp;
I already created custom log facility for that pourpose, but i couldn't find how to parse username from traffic.&nbsp;
Many thanks!&nbsp;
 &nbsp;
P.S. Just in case - sorry for my bad english ;)&nbsp;

what_lies_bene1 · Answer

Hey. I believe for IMAP login packet data would look like this; 
 
login username password

what_lies_bene1 · Answer

So an iRule to log that might look like this. This is a bit simple and I'm sure it could be improved and you could pull the username string out, I just don't have that level of skill; 
 
when CLIENT_ACCEPTED {
 TCP::collect 300
 }

when CLIENT_DATA {
 if { [TCP::payload 300] contains "login" } {
  log local0. "[TCP::payload 300]"
  TCP::release
 }

mohamed_lrhazi · Answer

I think it would be simpler to look in the server software side for a solution to this, or is that just not possible for you?

what_lies_bene1 · Answer

OK, here's an improvement using findstr to pull out just the username and restricting data collection to port 143 connections; 
 
when CLIENT_ACCEPTED {
 if {[TCP::local_port] == 143 } {
  Collect 300 bytes of data if client is using unencrypted IMAP
  TCP::collect 300
 }
}

when CLIENT_DATA {
 if {[TCP::local_port] == 143 } {
 Only do the following if client is using unencrypted IMAP and presumably data has been collected
  if { [TCP::payload 300] contains "login" } {
   Look for text 'login', skip forward 1 character and match up to the next space
   set imapusername [findstr [TCP::payload 300] "login" "1" " "]
   log local0. "Unecrypted IMAP connection established by $imapusername"
   Release and flush collected data
   TCP::release
   Stop processing the iRule for this event here
   return
  }
 }
}

arkashik_6155 · Answer

Posted By What Lies Beneath on 01/04/2013 05:44 AM
OK, here's an improvement using findstr to pull out just the username and restricting data collection to port 143 connections;
 when CLIENT_ACCEPTED { if {[TCP::local_port] == 143 } { Collect 300 bytes of data if client is using unencrypted IMAP TCP::collect 300 } } when CLIENT_DATA { if {[TCP::local_port] == 143 } { Only do the following if client is using unencrypted IMAP and presumably data has been collected if { [TCP::payload 300] contains "login" } { Look for text 'login', skip forward 1 character and match up to the next space set imapusername [findstr [TCP::payload 300] "login" "1" " "] log local0. "Unecrypted IMAP connection established by $imapusername" Release and flush collected data TCP::release Stop processing the iRule for this event here return } } } 
Thanks a lot, will give a try with this one.
 
Posted By Mohamed Lrhazi on 01/04/2013 05:43 AM
I think it would be simpler to look in the server software side for a solution to this, or is that just not possible for you?
Hello Mohamed, this solution is also under review.

Forum Discussion

iRule to log POP3/IMAP user

9 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

F5 Networks F5CAB1 Exam - Need Help Regarding Prep

Username is not filled in EdgeClient in the Modern customization

The GSLB pool is providing an incorrect IP to end users

iRule causing requests to be duplicated (sometimes)

Cisco TACACS+ Config on ISE LTM Pair

Related Content

POP3/IMAP Start TLS

DEVCENTRAL END-USER LICENSE AGREEMENT

F5 ASM/AWAF Preventing unauthorized users accessing admin path using iRule script

SSL Orchestrator Service Extensions: User Coaching

Service Extensions with SSL Orchestrator User Coaching of AI Related Content

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS