Josh Gentry wrote:
Hi. I'm new to Dovecot and about to start using it in production. In the config file, I set the option, auth_debug_passwords, to yes. I do not see any failed passwords logged, however. It did cause more verbose authentication logging, but failed passwords are still hidden.
That option is not for logging passwords, but to ease problem investigation in case something is not working as it should.
There might be a way to log password attempts, but it's not a good idea from the point of view of security, so I'm glad it's not so easy to have them logged.
Remember that a failed password might be someone using a dictionary attack, but can be an user that simply mistyped one character in his password. But even in the first case, what good would it do to know what words an attacker is using?
-- Q: Why does Washington have the most lawyers per capita and New Jersey the most toxic waste dumps? A: God gave New Jersey first choice.
Eduardo M KALINOWSKI eduardo@kalinowski.com.br http://move.to/hpkb