HaProxy -> Dovecot via ProxyProtocol: IPv4 address not parsed correctly

Hi,

while testing dovecot-spam, I found out that in my setup, IPv6 addresses from which failed login attempts originate do get blocked, but IPv4 addresses don’t.

I have HAProxy set up as a reverse proxy. HAProxy forwards IMAP ports to Dovecot via ProxyProtocol, so that the original IP address is transmitted to Dovecot (and not the IP address of the server proxy is running on). I don’t know if this is related to the behavior.

When an login attempt from an IPv4 address fails, Dovecot logs the following message:

Jan 13 14:53:45 imap-login: Info: Disconnected (auth failed, 2 attempts in 4 secs): user=xxx@xxx.xx, method=PLAIN, rip=::ffff:xxx.xxx.xxx.xxx, lip=::ffff:xxx.xxx.xxx.xxx, TLS, session=

Via cscli explain, I found out that the parser wrongly detects the IP address

create evt.Meta.source_ip : ::ffff:xxx.xxx.xxx.xxx

which then subsequently gets banned, with no effect, presumably because ::ffff:xxx.xxx.xxx.xxx isn’t a valid IPv4 address.

Has anybody observed a similar behavior? Is my interpretation correct? Any ideas how to adapt the parser to catch this behavior?

Thank you

Solved it (at least for me). In dovecot-logs.yaml, I changed the line

      pattern: "%{WORD:protocol}-login: %{DATA:dovecot_login_message}: user=<%{DATA:dovecot_user}>.*, rip=%{IP:dovecot_remote_ip}, lip=%{IP:dovecot_local_ip}"

to

      pattern: "%{WORD:protocol}-login: %{DATA:dovecot_login_message}: user=<%{DATA:dovecot_user}>.*, rip=??(::ffff:)%{IP:dovecot_remote_ip}, lip=%{IP:dovecot_local_ip}"

There it is again, this feeling of both being stupid and having learned something… The approach above breaks IPv6 detection. I think I have something better now:

pattern: "%{WORD:protocol}-login: %{DATA:dovecot_login_message}: user=<%{DATA:dovecot_user}>.*, rip=(::ffff:)?%{IP:dovecot_remote_ip}, lip=(::ffff:)?%{IP:dovecot_local_ip}"

Seems to be working. Fingers crossed.

This was opened on github and issue is kind of resolved here