Hello,
This discussion went way too far.
Just a reminder: when APOP used the server does not decode the stuff it gets for the
POP client to get the clear text version of the password. Password is hashed with
session-specific string using the MD5 hashing functions. If you see password in the
clear text in the logs that means that someone tried to logon with APOP disabled and
server rejected that because of the "Require APOP" option in the account settings.
As fot to log password entries or not - at the all info level the server logs all the
session data, including passwords. Set the log level to low level if you don't want
those passwords to appear in the logs.
On Fri, Aug 24, 2001, 09:46:09 GMT
Terry Allen, <[EMAIL PROTECTED]> wrote:
>>On 01-08-23 19.34, "Cerebus the Aardvark" <[EMAIL PROTECTED]> wrote:
>>
>>> How is that a bug? The passwords are stored in cleartext in the
>>> resource fork anyway. If someone has access to your machine to see
>>> the logs they certainly have access to the passwords.
>>
>>I can't see any point to log this any more than unsuccesful login attempts
>>using APOP, all you see there is the scrambled password. If this is in the
>>log I as an admin can see someones supposedly secret password by misstake. I
>>don't want that, I want to be able t tell people that I really don't know
>>their password. They might very well be using the same password for other
>>services (most people probably do). This is all a small detail but evenso...
>>
>>Regards,
>>Jonas Lundberg
>>
>Hi again,
> I actually see this as a good way to identify login attempts to an
>account using an invalid password. Earlier this year, I had a client using
>my server with some very important corporate data they wanted kept secure
>by email (hence use the Mac based server as it's nice & secure) Someone
>attempted to access the account using quite a number of different password
>attempts, all from the same IP address. As a result of this, I was able to
>do a lookup & provide the client with the network (actually within their
>organisation) & the person was suspended. This, I think is a very useful
>feature.
Best regards,
Dmitry Akindinov
=======================================================================
When answering to letters sent to you by the tech.support staff, make
sure the original message you have received is included into your reply.
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[EMAIL PROTECTED]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
