----- Original Message -----
I see you have different error messages during login for:
invalid email address
user does not exist
It might be better to return the same message for all so the hostile hacker can't learn as much about your users.
Good point. I'd suggest
- ERR XXX Login invalid
to stdout and detailed info to syslog
Its using tcpserver, so why not to multilog. I personally try to limit as much as possible the use of syslog.