Version: SOGo v1.3.5a When logging into a Sieve server using the configuration SOGoSieveServer = "sieve://mail.example.com:4190/"; the login attempt fails because the Sieve server does not accept plaintext authentication and requires a TLS login.
The error reported in /var/log/sogo/sogo.log is: Feb 22 10:06:13 sogod [28622]: [ERROR] <0x01EE0260[SOGoMailAccount]:0> failure. Attempting with a renewed password. Feb 22 10:06:13 sogod [28622]: [ERROR] <0x01EE0260[SOGoMailAccount]:0> Could not login '[email protected]' (my_secret_password) on Sieve server: <0x0x1d9d8b0[NGSieveClient]: socket=<NGActiveSocket[0x0x1ed7d60]: mode=rw address=<0x0x1f17c00[NGInternetSocketAddress]: host=client.example.com port=39704> connectedTo=<0x0x1d0e010[NGInternetSocketAddress]: host=mail.example.com port=4190>>>: {RawResponse = "{ok = 0; reason = \"Plaintext authentication disabled.\"; }"; result = 0; } The issue is that in the text above, the username and password attempted to perform the authentication are logged in cleartext. While I admit the utility of having explicit logging, I submit that there is no need to log the password in clear text. Can it be replaced with a "*******" for instance? Since logs persist for a long time, even though they are only readable by the "sogo" user, this is a serious security flaw. Any root user on the machine will have access to the clear text password of all the users using SOGo. This should not be the case. --FiredUp -- [email protected] https://inverse.ca/sogo/lists
