>> On 02.01.11 11:33, Sam Varshavchik wrote: >>> Download: http://www.courier-mta.org/download.php >>> >>> A few minor fixes. >>> >>> Changes: >>> >>> • Suppress logging the contents of a failed AUTH command in syslog, >>> in case it includes encoded passwords.
> Matus UHLAR - fantomas writes: >> can this differentiate between incvalid usernames and invalid passwords? >> If not, can this be turned off? On 17.01.11 08:53, Sam Varshavchik wrote: > Explain how you were able to tell the difference previously. You couldn't. I don't matter, all people with access to the logs here were able to get to customers' passwords different way. >> I know about potential security problems about revealed passwords, but I >> would like to know when an attack is done against users' passwords > > No. Previously, only some opaque encoded blob was logged, whatever its > contents were. aha. yes, in such case it's useless. I wanted to ask this about SMTP authentication (logging more than just "auth failed") some time ago. > Furthermore, there is no substantial difference. Look for failed AUTH > errors. I see no difference between whether there's userid guessing or > password guessing going on. Both the requested userid and password is > collected at the same time. Either they are accepted, or they're not. yes, but it can be useful to know in cases it's password guessing... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I intend to live forever - so far so good. ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
