kumomta icon indicating copy to clipboard operation
kumomta copied to clipboard

Published 20 hours ago verified publisher icon KumoCorp

Add logging for Source IP

Open tommairs opened this issue 1 year ago • 5 comments

We should report on the IP address of the egress source. Currently can report on the name only.

Logging currently includes egress_source. We should be able to report egress_source.name and egress_source.ip

tommairs avatar Apr 27 '23 17:04 tommairs

The source address is an optional parameter, and when we add HAProxy support the actual address is controlled by the external proxy and may even map to several addresses.

Does it make sense to log something that may not be there?

wez avatar May 08 '23 15:05 wez

Even when the source address is optional, an address will still be used. And can our HAProxy support theoretically query the proxy to find out what IP was used?

This is also potentially something we can look at again when we have external IP detection support. Reporting the actual external IP used.

MHillyer avatar May 08 '23 15:05 MHillyer

We know which IP we want to connect to; that is already logged as the peer_address. For the source address: that information is optional and may not be knowable. I'm not sure if HAProxy returns the source address; the protocol looked a bit like SOCKS5 and I don't recall that being able to return configuration information from the proxy to the client.

wez avatar May 08 '23 15:05 wez

My opinion on this is: the operator should name the source something meaningful to the log processing pipeline. The name could include the IP address if desired.

wez avatar May 08 '23 15:05 wez

So in commercial MTAs that can be an issue because of the challenge in semantic naming, since many admins named their binding/vmta after a client and then had no idea which actual IP address was the problem when viewing logs.

Given that we can assign tenants separate from egress sources it may be fine. I say let's wait to see if there's user-side demand for this instead of anticipating the request.

MHillyer avatar May 08 '23 15:05 MHillyer

We know which IP we want to connect to; that is already logged as the peer_address. For the source address: that information is optional and may not be knowable. I'm not sure if HAProxy returns the source address; the protocol looked a bit like SOCKS5 and I don't recall that being able to return configuration information from the proxy to the client.

If HAProxy is being used, we can assume that ha_proxy_source_address is the egress IP. HAProxy will return an error if you try to use an egress IP it can't bind to.

edgarsendernet avatar Jul 02 '24 07:07 edgarsendernet

The source address is an optional parameter, and when we add HAProxy support the actual address is controlled by the external proxy and may even map to several addresses.

Does it make sense to log something that may not be there?

The system already logs stuff that's not there, for example bounce_classification fields in Delivery records :)

edgarsendernet avatar Jul 02 '24 07:07 edgarsendernet