[CentOS] saslauth logging

Wed Apr 26 08:46:52 UTC 2017
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Wed, 26 Apr 2017, Jobst Schmalenbach wrote:

> On Tue, Apr 25, 2017 at 07:14:56PM -0700, Gordon Messmer (gordon.messmer at gmail.com) wrote:
>> On 04/25/2017 07:00 PM, Jobst Schmalenbach wrote:
>>> What I want is the IP address and if possible the incorrect password (just
>>> to see how far they are off).  Is this possible?
>> I hope not.  That's a terrible idea.  Every time a user fat-fingers their
>> password, your plain-text logs have a copy of their almost-correct
>> password.
> As always there are tradeoffs ...
> I have a reasonable strict password policy, so by looking at the failed
> passwords I can see how far the tries are off the real thing, so it actually
> is a good thing for me. Also I learn which passwords are used for cracking,
> which again is a good thing. As for the logged passwords - this is a non
> user server, only two people have access ... so reading the logs is
> difficult for imap/sendmail users in the company ...

Sorry, listen to Gordon; this is a terrible idea.

You accept a certain amount of password leakage into log files as hard to
avoid (a user puts their password into a username field without noticing), but
deliberately logging typoed passwords, or indeed valid passwords but for the
wrong account into a log file, so you can keep an eye on what's being used is
a step beyond simple bad practice.

If you have a strict password policy, then you should have mechanisms in place
to enforce it, but not human ones.