Ok, this is something... let me check...
If you're you referring to these pieces of code:
if (path != NULL) { /* log this as error, since it probably is */ str = t_strdup_printf("%s (%s missing?)", str, path); e_error(authdb_event(request), "%s", str); } else if (status == PAM_AUTH_ERR) { str = t_strconcat(str, " ("AUTH_LOG_MSG_PASSWORD_MISMATCH"?)", NULL); if (request->set->debug_passwords) { str = t_strconcat(str, " (given password: ", request->mech_password, ")", NULL); }
and:
void auth_request_log_login_failure(struct auth_request *request, const char *subsystem, const char *message)
I'm not a programmer, let alone a C guru, but these extracts look like password failure logging. Are you sure they are recording successful authentications for the logs?
On 2022-10-11 17:07, Bernardo Reino wrote:
On Mon, 10 Oct 2022, Serveria Support wrote:
I checked the source code on Github and discussed this with a C developer. There seem to be too many files... perhaps somebody can guide me where should I look? Aki?
You should search for "given password" in the source.
Hint: src/auth/passdb-pam.c, around lines 175-178. src/auth/auth-request.c, around lines 2311-2312.
This is with the latest source (2.3.19.1).
Cheers.
PS: But as I noted, nothing prevents $HACKER from bringing their own dovecot (BYOD :) with all debugging options enabled, etc. As others have noted, if the intruder owns your server, you have lost. Period.