On Wed, 26 Apr 2017, Jobst Schmalenbach wrote: > On Tue, Apr 25, 2017 at 07:14:56PM -0700, Gordon Messmer (gordon.messmer at gmail.com) wrote: >> On 04/25/2017 07:00 PM, Jobst Schmalenbach wrote: >>> What I want is the IP address and if possible the incorrect password (just >>> to see how far they are off). Is this possible? >> >> I hope not. That's a terrible idea. Every time a user fat-fingers their >> password, your plain-text logs have a copy of their almost-correct >> password. >> > > As always there are tradeoffs ... > I have a reasonable strict password policy, so by looking at the failed > passwords I can see how far the tries are off the real thing, so it actually > is a good thing for me. Also I learn which passwords are used for cracking, > which again is a good thing. As for the logged passwords - this is a non > user server, only two people have access ... so reading the logs is > difficult for imap/sendmail users in the company ... Sorry, listen to Gordon; this is a terrible idea. You accept a certain amount of password leakage into log files as hard to avoid (a user puts their password into a username field without noticing), but deliberately logging typoed passwords, or indeed valid passwords but for the wrong account into a log file, so you can keep an eye on what's being used is a step beyond simple bad practice. If you have a strict password policy, then you should have mechanisms in place to enforce it, but not human ones. jh