Re: Log authentication attempts
On 24.01.2017 00:06, rej ex wrote:
Because we are building some monitoring application, we will need to record all failed and successful login attempts. We need to record remote IP, entered password in plain text, and if possible whether auth request is for SMTP or IMAP session.
SMTP? Wouldn't that be handled by your MTA, not Dovecot?
AKi Tuomi wrote:
Since 2.2.27 we've had auth policy server support which can do this properly.
As I read the docs, the auth policy server would only get the hashed password, and wouldn't be able to record the plaintext password.
Maybe use the checkpassword hook?
http://wiki.dovecot.org/AuthDatabase/CheckPassword
Joseph Tam jtam.home@gmail.com
On January 25, 2017 at 12:24 AM Joseph Tam jtam.home@gmail.com wrote:
On 24.01.2017 00:06, rej ex wrote:
Because we are building some monitoring application, we will need to record all failed and successful login attempts. We need to record remote IP, entered password in plain text, and if possible whether auth request is for SMTP or IMAP session.
SMTP? Wouldn't that be handled by your MTA, not Dovecot?
AKi Tuomi wrote:
Since 2.2.27 we've had auth policy server support which can do this properly.
As I read the docs, the auth policy server would only get the hashed password, and wouldn't be able to record the plaintext password.
Maybe use the checkpassword hook?
http://wiki.dovecot.org/AuthDatabase/CheckPassword
Joseph Tam jtam.home@gmail.com
So it would seem if you don't read it carefully.
auth_policy_request_attributes: Request attributes specification (see attributes section below) Default: auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip}
I invite you to consider what would happen if you were to replace %{hashed_password} with %{password}?
Aki
participants (2)
-
Aki Tuomi
-
Joseph Tam