Session logging for mail/news: Difference between revisions
(External links - fixed error in network sorcery nntp link) |
m (External link to logging changed) |
||
Line 30: | Line 30: | ||
* You do not see all the authentication information, so you might not be able to investigate authentication problems in detail. | * You do not see all the authentication information, so you might not be able to investigate authentication problems in detail. | ||
* You can log secure (SSL and TLS) connections. | * You can log secure (SSL and TLS) connections. | ||
To create the log file, follow the instructions on the Mozilla web page linked below. Use log level 5, and remember to specify POP3:5, IMAP:5, SMTP:5, NNTP:5 or nsHttp:5, depending on which type of server you are investigating. (The module nsHttp is not mentioned on the linked page.) | To create the log file, follow the instructions on the Mozilla web page linked below. Use log level 5, and remember to specify POP3:5, IMAP:5, SMTP:5, NNTP:5, LDAP:5, MIME:5 or nsHttp:5, depending on which type of server you are investigating. (The module nsHttp is not mentioned on the linked page.) | ||
:[ | :[https://wiki.mozilla.org/MailNews:Logging Protocol Logging] | ||
Exiting Thunderbird and running it again with session logging doesn't always close any existing connections, they may need a minute or two to time out. Its usually easiest to debug a problem when it makes a new connection. For example, if you enabled IMAP logging and the connection to the AIM mail server was still open you would see something roughly like: | Exiting Thunderbird and running it again with session logging doesn't always close any existing connections, they may need a minute or two to time out. Its usually easiest to debug a problem when it makes a new connection. For example, if you enabled IMAP logging and the connection to the AIM mail server was still open you would see something roughly like: | ||
Line 41: | Line 40: | ||
'' | '' | ||
If the log file is empty that normally means you either didn't configure the logging correctly (you need to specify POP3:5 , not POP:5 for example) or you couldn't make a TCP-IP connection to the mail server for some reason. You could use [http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/netstat.mspx?mfr=true netstat] to list your connections. Run it from a console window/DOS box. | If the log file is empty that normally means you either didn't configure the logging correctly (you need to specify POP3:5 , not POP:5 for example) or you couldn't make a TCP-IP connection to the mail server for some reason. You could use [http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/netstat.mspx?mfr=true netstat] to list your connections. Run it from a console window/DOS box. | ||
===Using a proxy=== | ===Using a proxy=== |
Revision as of 10:36, 24 August 2008
This article is about troubleshooting techniques for advanced users who are investigating problems with servers. It applies to all of the server types that Thunderbird connects to:
POP3 For getting mail IMAP For getting mail SMTP For sending mail NNTP For usenet news HTTP For RSS feeds LDAP For address books
These methods are only useful for investigating problems that occur after Thunderbird establishes a connection to a server. If Thunderbird cannot connect to the server, then it is pointless trying to log the connection—in these cases, see: Network tools for server connections
To use these methods for investigating secure authentication, you will need additional tools depending on the authentication method.
Methods for logging
There are three methods for logging server connections:
- Thunderbird itself
- A logging proxy
- A packet sniffer
Using Thunderbird
Thunderbird can create a log file for the server types POP3, IMAP, SMTP, NNTP and HTTP.
When you use Thunderbird to log a connection:
- You do not see all the authentication information, so you might not be able to investigate authentication problems in detail.
- You can log secure (SSL and TLS) connections.
To create the log file, follow the instructions on the Mozilla web page linked below. Use log level 5, and remember to specify POP3:5, IMAP:5, SMTP:5, NNTP:5, LDAP:5, MIME:5 or nsHttp:5, depending on which type of server you are investigating. (The module nsHttp is not mentioned on the linked page.)
Exiting Thunderbird and running it again with session logging doesn't always close any existing connections, they may need a minute or two to time out. Its usually easiest to debug a problem when it makes a new connection. For example, if you enabled IMAP logging and the connection to the AIM mail server was still open you would see something roughly like:
- 0[34988]: 2310cc0:imap.cs.com:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN
If the log file is empty that normally means you either didn't configure the logging correctly (you need to specify POP3:5 , not POP:5 for example) or you couldn't make a TCP-IP connection to the mail server for some reason. You could use netstat to list your connections. Run it from a console window/DOS box.
Using a proxy
A logging proxy is an additional program that logs a specific connection.
When you use a proxy:
- You can log any server type.
- You do not see Thunderbird's connection states. This simplifies the log, but it might make some problems more difficult to discover.
- You see the raw data with no explanatory information.
- You see all the authentication information. However, investigating secure authentication requires additional tools.
- You cannot successfully log a secure (SSL) connection, nor a TLS connection after the initial negotiation.
To configure a proxy, either change Thunderbird's server settings, or use Thunderbird's proxy settings to specify localhost (your own computer, where the proxy is running) as the proxy server. By changing settings in Thunderbird, you risk changing the nature of the problem that you are investigating. If possible, check the proxy configuration with a working server before you use it with the server you are investigating.
To change Thunderbird's server settings, point Thunderbird at the server localhost and point the logging proxy at the real server.
To change Thunderbird's proxy settings, choose: Tools – Options... – General – Connection Settings..., choose "Manual proxy configuration", set the HTTP proxy to localhost, and check the box "Use this proxy server for all protocols". Use whatever port you have configured in the proxy—for example, 80. Point the logging proxy at the real server and port.
Some examples of logging proxies that you can download are:
- Trivial Proxy (Windows only)
- TCPreen (cross-platform)
Using a packet sniffer
A packet sniffer is an additional program that logs network traffic. You usually configure the packet sniffer to filter the log, so that you only see the parts that interest you. The resulting log contains information similar to a proxy log, but it might be presented in a much more complex way, depending on the sniffer and on how you configure it.
When you use a packet sniffer:
- You can log any server type.
- You do not change any settings in Thunderbird.
- You see the raw data with no explanatory information.
- You do not see Thunderbird's connection states. This simplifies the log, but it might make some problems more difficult to discover.
- You see all the authentication information. However, investigating secure authentication requires additional tools.
- You cannot successfully log a secure (SSL) connection, nor a TLS connection after the initial negotiation.
Configuring a packet sniffer depends on the sniffer.
Some examples of packet sniffers that you can download are:
Interpreting a connection log
To interpret a connection log, you need to understand something about how the server works and how Thunderbird works.
The server specifications are Internet standards published as RFCs. There are some links to them in the External links section below.
For POP3, SMTP and NNTP, Thunderbird works by computing a connection state that tells it what to expect from the server and what to do next. These connection states are internal to Thunderbird. They might be different in different releases of Thunderbird. To understand the connection states in detail, you might have to read Thunderbird's C++ source code.
POP3 connection states
|
|
|
SMTP connection states
|
|
|
NNTP connection states
|
|
|
Examples
Here is a proxy log of a connection to a POP3 server. There are no messages on the server:
+OK Hello there. AUTH -ERR Invalid command. CAPA +OK Here's what I can do: SASL LOGIN CRAM-MD5 CRAM-SHA1 TOP USER LOGIN-DELAY 10 PIPELINING UIDL IMPLEMENTATION Courier Mail Server . AUTH LOGIN + VXNlcm5hbWU6 anVzdC50ZXN0aW5nQGV4YW1wbGUubmV0DQo= + UGFzc3dvcmQ6 Zm9vYmFyMTIzDQo= +OK logged in. STAT +OK 0 0 QUIT +OK Bye-bye.
The base64 strings that you see are:
VXNlcm5hbWU6 Username: anVzdC50ZXN0aW5nQGV4YW1wbGUubmV0DQo= just.testing@example.net (the username) UGFzc3dvcmQ6 Password: Zm9vYmFyMTIzDQo= foobar123 (the password)
Here is a Thunderbird log of the same connection:
0[ef1790]: Entering NET_ProcessPop3 18 0[ef1790]: POP3: Entering state: 1 0[ef1790]: POP3: Entering state: 2 0[ef1790]: POP3: Entering state: 4 0[ef1790]: RECV: +OK Hello there. 0[ef1790]: POP3: Entering state: 29 0[ef1790]: SEND: AUTH 0[ef1790]: Entering NET_ProcessPop3 23 0[ef1790]: POP3: Entering state: 3 0[ef1790]: RECV: -ERR Invalid command. 0[ef1790]: POP3: Entering state: 30 0[ef1790]: POP3: Entering state: 31 0[ef1790]: SEND: CAPA 0[ef1790]: Entering NET_ProcessPop3 142 0[ef1790]: POP3: Entering state: 3 0[ef1790]: RECV: +OK Here's what I can do: 0[ef1790]: POP3: Entering state: 32 0[ef1790]: RECV: SASL LOGIN CRAM-MD5 CRAM-SHA1 0[ef1790]: POP3: Entering state: 32 0[ef1790]: RECV: TOP 0[ef1790]: POP3: Entering state: 32 0[ef1790]: RECV: USER 0[ef1790]: POP3: Entering state: 32 0[ef1790]: RECV: LOGIN-DELAY 10 0[ef1790]: POP3: Entering state: 32 0[ef1790]: RECV: PIPELINING 0[ef1790]: POP3: Entering state: 32 0[ef1790]: RECV: UIDL 0[ef1790]: POP3: Entering state: 32 0[ef1790]: RECV: IMPLEMENTATION Courier Mail Server 0[ef1790]: POP3: Entering state: 32 0[ef1790]: RECV: . 0[ef1790]: POP3: Entering state: 33 0[ef1790]: POP3: Entering state: 35 0[ef1790]: SEND: AUTH LOGIN 0[ef1790]: Entering NET_ProcessPop3 16 0[ef1790]: POP3: Entering state: 3 0[ef1790]: RECV: + VXNlcm5hbWU6 0[ef1790]: POP3: Entering state: 36 0[ef1790]: POP3: Entering state: 5 0[ef1790]: SEND: anVzdC50ZXN0aW5nQGV4YW1wbGUubmV0DQo= 0[ef1790]: Entering NET_ProcessPop3 16 0[ef1790]: POP3: Entering state: 3 0[ef1790]: RECV: + UGFzc3dvcmQ6 0[ef1790]: POP3: Entering state: 34 0[ef1790]: POP3: Entering state: 6 0[ef1790]: Logging suppressed for this command (it probably contained authentication information) 0[ef1790]: Entering NET_ProcessPop3 16 0[ef1790]: POP3: Entering state: 3 0[ef1790]: RECV: +OK logged in. 0[ef1790]: POP3: Entering state: 34 0[ef1790]: POP3: Entering state: 7 0[ef1790]: SEND: STAT 0[ef1790]: Entering NET_ProcessPop3 9 0[ef1790]: POP3: Entering state: 3 0[ef1790]: RECV: +OK 0 0 0[ef1790]: POP3: Entering state: 8 0[ef1790]: POP3: Entering state: 22 0[ef1790]: SEND: QUIT 0[ef1790]: Entering NET_ProcessPop3 14 0[ef1790]: POP3: Entering state: 3 0[ef1790]: RECV: +OK Bye-bye. 0[ef1790]: POP3: Entering state: 43 0[ef1790]: POP3: Entering state: 23 0[ef1790]: POP3: Entering state: 25
See also
External links
Wikipedia articles (including links to RFCs):
- Post Office Protocol (POP3)
- Internet Message Access Protocol (IMAP)
- Simple Mail Transfer Protocol (SMTP)
- Network News Transfer Protocol (NNTP)
- Hypertext Transfer Protocol (HTTP)
- Lightweight Directory Access Protocol (LDAP)
Protocol guides (they focus on the actual commands and which RFC applies to a specific protocol command):
- Post Office Protocol (POP3)
- Internet Message Access Protocol (IMAP)
- Simple Mail Transfer Protocol (SMTP)
- Network News Transfer Protocol (NNTP)
- Hypertext Transfer Protocol (HTTP)
- Lightweight Directory Access Protocol (LDAP)
Sometimes its useful to compare session logs for another email client and Thunderbird.