Solar Designer wrote:
Fredrik wrote:
It is a patch that adds the username (or mailbox, which should
be the same most of the time) to all syslog messages that popa3d
writes. It is very useful for detecting users that misspell
usernames, or use incorrect case when typing the username.
Yes. Unfortunately, a side-effect is that you will also get some
plaintext passwords logged since some users are dumb enough to
enter their password in place of username. This was one of two
reasons for
It is unfortunate that someone would do this, but not enough of a
reason to cause any significant influence, IMHO. Plus, a simple
password scan could check the unknown username against the password
list, and look for matches. That would at least provide an
opportunity to do some adjustment so that their plain password was
not fully displayed... not really worth it IMHO, but if someone
was concerned over this...
not logging unknown usernames. The other reason is that unknown
usernames may contain any "garbage" characters, including terminal
controls, making it unsafe to browse logs on some systems (where syslogd
does not filter or escape potential terminal controls) unless special
precautions are taken (e.g., "less -U" is OK, "more" or plain "grep ..."
with output to the terminal are not).
An easy fix. Before any logging is done with an unknown username,
parse it for "garbage" characters, and replace them with something
non-garbage...
Of anything that I think popa3d should contain, this patch is *the*
one. It's not fun to track logs when you can't tell which line is
for what user.
Besides, your reasons for not displaying unknown usernames is really
that important, then here is an alternate idea.
Each full session is given a unique instance ID. This ID is logged
with every log item. This way, the password/garbage char concerns
would be addressed, and log-watchers like myself and Fredrik will have
something easy to link log entries.
Bear in mind, this is my opinion and nothing more. I'm not the
one who wrote and is supporting the pop server. (= but, I am a user
of the server and as such, feel that my opinion counts for something,
if only a voice.
(=
Brad/TLD
