Matus UHLAR - fantomas writes:
On 02.01.11 11:33, Sam Varshavchik wrote:Download: http://www.courier-mta.org/download.phpA few minor fixes. Changes:• Suppress logging the contents of a failed AUTH command in syslog, in case it includes encoded passwords.can this differentiate between incvalid usernames and invalid passwords? If not, can this be turned off?
Explain how you were able to tell the difference previously. You couldn't.
I know about potential security problems about revealed passwords, but I would like to know when an attack is done against users' passwords
No. Previously, only some opaque encoded blob was logged, whatever its contents were.
Furthermore, there is no substantial difference. Look for failed AUTH errors. I see no difference between whether there's userid guessing or password guessing going on. Both the requested userid and password is collected at the same time. Either they are accepted, or they're not.
pgpfSo74Tyifh.pgp
Description: PGP signature
------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
