iRule to log POP3/IMAP user

Question

Hello everyone,&nbsp;
Since i'm new with iRules, could you please advice me how to log username/user's email address from POP3 and IMAP sessions.&nbsp;
The goal is to move users to go through POP3/IMAP over SSL, however, prior to do so, we would like to identify users who still use un-encrypted connections and reduce impact for the production.&nbsp;
I already created custom log facility for that pourpose, but i couldn't find how to parse username from traffic.&nbsp;
Many thanks!&nbsp;
 &nbsp;
P.S. Just in case - sorry for my bad english ;)&nbsp;

what_lies_bene1 · Answer

Hey. I believe for IMAP login packet data would look like this; 
 
login username password

what_lies_bene1 · Answer

So an iRule to log that might look like this. This is a bit simple and I'm sure it could be improved and you could pull the username string out, I just don't have that level of skill; 
 
when CLIENT_ACCEPTED {
 TCP::collect 300
 }

when CLIENT_DATA {
 if { [TCP::payload 300] contains "login" } {
  log local0. "[TCP::payload 300]"
  TCP::release
 }

mohamed_lrhazi · Answer

I think it would be simpler to look in the server software side for a solution to this, or is that just not possible for you?

what_lies_bene1 · Answer

OK, here's an improvement using findstr to pull out just the username and restricting data collection to port 143 connections; 
 
when CLIENT_ACCEPTED {
 if {[TCP::local_port] == 143 } {
  Collect 300 bytes of data if client is using unencrypted IMAP
  TCP::collect 300
 }
}

when CLIENT_DATA {
 if {[TCP::local_port] == 143 } {
 Only do the following if client is using unencrypted IMAP and presumably data has been collected
  if { [TCP::payload 300] contains "login" } {
   Look for text 'login', skip forward 1 character and match up to the next space
   set imapusername [findstr [TCP::payload 300] "login" "1" " "]
   log local0. "Unecrypted IMAP connection established by $imapusername"
   Release and flush collected data
   TCP::release
   Stop processing the iRule for this event here
   return
  }
 }
}

arkashik_6155 · Answer

Posted By What Lies Beneath on 01/04/2013 05:44 AM
OK, here's an improvement using findstr to pull out just the username and restricting data collection to port 143 connections;
 when CLIENT_ACCEPTED { if {[TCP::local_port] == 143 } { Collect 300 bytes of data if client is using unencrypted IMAP TCP::collect 300 } } when CLIENT_DATA { if {[TCP::local_port] == 143 } { Only do the following if client is using unencrypted IMAP and presumably data has been collected if { [TCP::payload 300] contains "login" } { Look for text 'login', skip forward 1 character and match up to the next space set imapusername [findstr [TCP::payload 300] "login" "1" " "] log local0. "Unecrypted IMAP connection established by $imapusername" Release and flush collected data TCP::release Stop processing the iRule for this event here return } } } 
Thanks a lot, will give a try with this one.
 
Posted By Mohamed Lrhazi on 01/04/2013 05:43 AM
I think it would be simpler to look in the server software side for a solution to this, or is that just not possible for you?
Hello Mohamed, this solution is also under review.

Forum Discussion

iRule to log POP3/IMAP user

9 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

POP3/IMAP Start TLS

DEVCENTRAL END-USER LICENSE AGREEMENT

Update your DevCentral user profile

Irule for diverting blocked gelocation users to a page

IMAP/POP3 forwarding to specific pools