[Dovecot] Log successful login plain text password
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi everyone,
I want to use dovecot as a IMAP and POP3 proxy in front of our current E-Mail hosting server to log the plain text passwords of all successful logins for migration reasons. Actually I don't need the password to see in plain text, storing them as SHA256-CRYPT (or something dovecot can use later for auth) hash in a file or DB would be fine, too.
I need this for the migration from the current mail server (using proprietary hashing to store passwords) to a new postfix / dovecot base mail system.
I played around with "auth_debug_passwords" and all debug / logging options I found in the manual. Nothing logs successful login plaintext passwords.
Any hint welcome.
Thanks a lot, Marco
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJSHZ9tAAoJEKxm7Ju3UATui2cP/A3cf2TrNvOjjtP1TCgZZ5EC igsgngPlKiXU/RwHO9shBLXUyhKDHPGihNf9KL/RjoFnrgX1asPd/RF/2b080IU3 bNO49BLs8QqoroKz5E+TL8UNixlO5YQjnerKfJ5GIJbSUTC3MaxmN62Cl9jEaTWu 4dX3MXoB3ghoxt6FETSLXz6cEXsGd6KvqxolQC13NYtvpZED+qk7z3RywK8Xp/Au Ipx3xEnDRc/YvG3PeJlsjF9Ge80GxVVH0nudNOV/zmyuNfh4PkPRerk1R4Px01zI sxnXvcNjjenCJ6DMKBmOCyBii9Wl9i4opw9k4X4Z6MFEZGiodRz1usKWJMT0VqUG NBEJDOWsoWpasWMCtduBRrNQS3JI+o1tebDAI5n3K4lJ2d27+nosDvdQ8vNlVszM 8nhSn228RQNy9SJZNAvspOYQBM2gt5IQyWGA4jhrMUkwKeTfHZik8vh8lEcwbK9q H6Myue+i+G8wVa57F1V7/7x2LNGn56BWxTDlBrtKdK3KphCgEoCny/f5VYerO8It MnCMLPXI2oCC8qqkK7x45SYSe/eQhgV93LHpI5z25TqyeJ6R+7dglderRDQcNN0n OtbYMYkqlF8xJ4k+rVFwOC5VD7Bq+S2Q4LyLEf7wFH32Dc12pI/SnAL8DPvkNgbL FshgaVOXUEkb0WhnvROl =oEzx -----END PGP SIGNATURE-----
Hi Marco
when running dovecot -a you will find auth_*
I think you could you auth_verbose_passwords to fit your needs.
all the best
On 28.08.2013, at 08:57, Marco Fretz wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi everyone,
I want to use dovecot as a IMAP and POP3 proxy in front of our current E-Mail hosting server to log the plain text passwords of all successful logins for migration reasons. Actually I don't need the password to see in plain text, storing them as SHA256-CRYPT (or something dovecot can use later for auth) hash in a file or DB would be fine, too.
I need this for the migration from the current mail server (using proprietary hashing to store passwords) to a new postfix / dovecot base mail system.
I played around with "auth_debug_passwords" and all debug / logging options I found in the manual. Nothing logs successful login plaintext passwords.
Any hint welcome.
Thanks a lot, Marco
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJSHZ9tAAoJEKxm7Ju3UATui2cP/A3cf2TrNvOjjtP1TCgZZ5EC igsgngPlKiXU/RwHO9shBLXUyhKDHPGihNf9KL/RjoFnrgX1asPd/RF/2b080IU3 bNO49BLs8QqoroKz5E+TL8UNixlO5YQjnerKfJ5GIJbSUTC3MaxmN62Cl9jEaTWu 4dX3MXoB3ghoxt6FETSLXz6cEXsGd6KvqxolQC13NYtvpZED+qk7z3RywK8Xp/Au Ipx3xEnDRc/YvG3PeJlsjF9Ge80GxVVH0nudNOV/zmyuNfh4PkPRerk1R4Px01zI sxnXvcNjjenCJ6DMKBmOCyBii9Wl9i4opw9k4X4Z6MFEZGiodRz1usKWJMT0VqUG NBEJDOWsoWpasWMCtduBRrNQS3JI+o1tebDAI5n3K4lJ2d27+nosDvdQ8vNlVszM 8nhSn228RQNy9SJZNAvspOYQBM2gt5IQyWGA4jhrMUkwKeTfHZik8vh8lEcwbK9q H6Myue+i+G8wVa57F1V7/7x2LNGn56BWxTDlBrtKdK3KphCgEoCny/f5VYerO8It MnCMLPXI2oCC8qqkK7x45SYSe/eQhgV93LHpI5z25TqyeJ6R+7dglderRDQcNN0n OtbYMYkqlF8xJ4k+rVFwOC5VD7Bq+S2Q4LyLEf7wFH32Dc12pI/SnAL8DPvkNgbL FshgaVOXUEkb0WhnvROl =oEzx -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/28/2013 09:08 AM, wkaha@yahoo.com wrote:
Hi Marco
when running dovecot -a you will find auth_*
I think you could you auth_verbose_passwords to fit your needs.
thanks. I've already tried this, but it doesn't log the password on successful logins, only when there is password missmatch:
from the conf / manual: "
In case of password mismatches, log the attempted password. Valid
values are
no, plain and sha1. sha1 can be useful for detecting brute force password
attempts vs. user simply trying the same password over and over again.
#auth_verbose_passwords = no "
any other ideas? :)
all the best
On 28.08.2013, at 08:57, Marco Fretz wrote:
Hi everyone,
I want to use dovecot as a IMAP and POP3 proxy in front of our current E-Mail hosting server to log the plain text passwords of all successful logins for migration reasons. Actually I don't need the password to see in plain text, storing them as SHA256-CRYPT (or something dovecot can use later for auth) hash in a file or DB would be fine, too.
I need this for the migration from the current mail server (using proprietary hashing to store passwords) to a new postfix / dovecot base mail system.
I played around with "auth_debug_passwords" and all debug / logging options I found in the manual. Nothing logs successful login plaintext passwords.
Any hint welcome.
Thanks a lot, Marco
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJSHaM2AAoJEKxm7Ju3UATuaDcQAIIisd1T999xbuP8fBP19gAV c0/rMGZxy69P2QLp7Y3Lwn6LXXeAiICFWRBtXkoOsVzGXazM+IB6OMr2H3Xa/37v kyO3nfS9+nD3crzPIVM6pQKnDH5ON8Jwr1Y7pufnwb5cvxZzrcB4hZk+dFcLu9eN wwAAB0mRuT1b3gqnX8rtVqqDQPF+vgefrEDEDxysO7fq7I+RlWsbHDKV4porGkd8 3mf+PoQ+QmStgMyVh906taGpainYaARe0O5yoeAO/5/jTOODrzT6vcwv4ffDcp/p NGZUtpomPw9+C4/BXBwPPlYcUNCktaxpVFp5LyBnOLs9WckDZzNpzD0m/HjvFmEI WvgFh3QPK1APTKwsLD1YArfHGqs7/tJRhPDPTI9oO7Y55WP6hJvMNNji0eihDwoG SO7dQkfs/3jIx0AwNN/2M/cT/zBTCPsuqyhAimRMStxR/TYbp9pXxBwAjRv16NS5 NwoL0nXnyPUt+l3deYiYF+wMJG8LVVn11UXTrwEJ7hzIfkiOs9EHKAdKznw74ryl FaqVL3D52cLdYUpfVVj1GaLQT+eIxP9uRbzIKLGzTR6bYWYX4W3YwflicPt9HozH 5H/1eiXXbEu44/h5jbZ2+AAncwsLomBC5fJYRiyZVZcXSozpRFhKkk5q7LSwZtVM WgX/qVgpWSKAsuTPbgtG =C9DH -----END PGP SIGNATURE-----
Maybe you can find a way in this direction
http://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes
all the best
On 28.08.2013, at 09:14, Marco Fretz wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/28/2013 09:08 AM, wkaha@yahoo.com wrote:
Hi Marco
when running dovecot -a you will find auth_*
I think you could you auth_verbose_passwords to fit your needs.
thanks. I've already tried this, but it doesn't log the password on successful logins, only when there is password missmatch:
from the conf / manual: "
In case of password mismatches, log the attempted password. Valid
values are
no, plain and sha1. sha1 can be useful for detecting brute force password
attempts vs. user simply trying the same password over and over again.
#auth_verbose_passwords = no "
any other ideas? :)
all the best
On 28.08.2013, at 08:57, Marco Fretz wrote:
Hi everyone,
I want to use dovecot as a IMAP and POP3 proxy in front of our current E-Mail hosting server to log the plain text passwords of all successful logins for migration reasons. Actually I don't need the password to see in plain text, storing them as SHA256-CRYPT (or something dovecot can use later for auth) hash in a file or DB would be fine, too.
I need this for the migration from the current mail server (using proprietary hashing to store passwords) to a new postfix / dovecot base mail system.
I played around with "auth_debug_passwords" and all debug / logging options I found in the manual. Nothing logs successful login plaintext passwords.
Any hint welcome.
Thanks a lot, Marco
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJSHaM2AAoJEKxm7Ju3UATuaDcQAIIisd1T999xbuP8fBP19gAV c0/rMGZxy69P2QLp7Y3Lwn6LXXeAiICFWRBtXkoOsVzGXazM+IB6OMr2H3Xa/37v kyO3nfS9+nD3crzPIVM6pQKnDH5ON8Jwr1Y7pufnwb5cvxZzrcB4hZk+dFcLu9eN wwAAB0mRuT1b3gqnX8rtVqqDQPF+vgefrEDEDxysO7fq7I+RlWsbHDKV4porGkd8 3mf+PoQ+QmStgMyVh906taGpainYaARe0O5yoeAO/5/jTOODrzT6vcwv4ffDcp/p NGZUtpomPw9+C4/BXBwPPlYcUNCktaxpVFp5LyBnOLs9WckDZzNpzD0m/HjvFmEI WvgFh3QPK1APTKwsLD1YArfHGqs7/tJRhPDPTI9oO7Y55WP6hJvMNNji0eihDwoG SO7dQkfs/3jIx0AwNN/2M/cT/zBTCPsuqyhAimRMStxR/TYbp9pXxBwAjRv16NS5 NwoL0nXnyPUt+l3deYiYF+wMJG8LVVn11UXTrwEJ7hzIfkiOs9EHKAdKznw74ryl FaqVL3D52cLdYUpfVVj1GaLQT+eIxP9uRbzIKLGzTR6bYWYX4W3YwflicPt9HozH 5H/1eiXXbEu44/h5jbZ2+AAncwsLomBC5fJYRiyZVZcXSozpRFhKkk5q7LSwZtVM WgX/qVgpWSKAsuTPbgtG =C9DH -----END PGP SIGNATURE-----
On 08/28/2013 10:36 AM, wkaha@yahoo.com wrote:
Maybe you can find a way in this direction
This looks interesting. Looks like I could automate also a lot of other stuff this way, e.g. imap syncing accounts to new server, etc.
I found out that "auth_debug_passwords=yes" does log passwords (also successful logins) in proxy mode. But it does not in normal imap/pop server mode, or I did something wrong...
It logs something like this: Aug 28 11:13:03 barney dovecot: auth: Debug: client out: OK#0111#011user=marco@example.com#011host=imap.example.com#011nologin#011proxy#011pass=CLEARPASWORD
where CLEARPASWORD is the plain text password.that's pretty much what I need. but using some postlogin script might be the more beautiful way...
thanks you all for the responses.
all the best
On 28.08.2013, at 09:14, Marco Fretz wrote:
On 08/28/2013 09:08 AM, wkaha@yahoo.com wrote:
Hi Marco
when running dovecot -a you will find auth_*
I think you could you auth_verbose_passwords to fit your needs.
thanks. I've already tried this, but it doesn't log the password on successful logins, only when there is password missmatch:
from the conf / manual: "
In case of password mismatches, log the attempted password. Valid
values are
no, plain and sha1. sha1 can be useful for detecting brute force
password
attempts vs. user simply trying the same password over and over again.
#auth_verbose_passwords = no "
any other ideas? :)
all the best
On 28.08.2013, at 08:57, Marco Fretz wrote:
Hi everyone,
I want to use dovecot as a IMAP and POP3 proxy in front of our current E-Mail hosting server to log the plain text passwords of all
successful
logins for migration reasons. Actually I don't need the password to see in plain text, storing them as SHA256-CRYPT (or something dovecot can use later for auth) hash in a file or DB would be fine, too.
I need this for the migration from the current mail server (using proprietary hashing to store passwords) to a new postfix / dovecot base mail system.
I played around with "auth_debug_passwords" and all debug / logging options I found in the manual. Nothing logs successful login plaintext passwords.
Any hint welcome.
Thanks a lot, Marco
Cool. I tried doing the same. I've installed a proxy with the smallest possible setting ----dovecot.conf---------------------------- protocols = imap ssl = no mail_uid = dovenull mail_gid = dovenull first_valid_uid = 143 first_valid_gid = 143 auth_mechanisms = plain login auth_debug_passwords=yes mail_location=imapc:~/imapc mail_home = /home/%u imapc_host = server.name.com imapc_port = 143 passdb { args = host=server.name.com default_fields = userdb_imapc_user=%u userdb_imapc_password=%w driver=imap } userdb { driver = prefetch } ------------------------------------- and the result in my logs was ---- Aug 30 15:06:23 free92 dovecot: auth: Debug: master userdb out: USER 12341234124 username@server.name.com imapc_user=username@servername.com imapc_password=ClearPassword auth_token=***some token*** ---- that's nice for migrating servers. all the best On 30.08.2013, at 08:31, Marco Fretz wrote:
On 08/28/2013 10:36 AM, wkaha@yahoo.com wrote:
Maybe you can find a way in this direction
This looks interesting. Looks like I could automate also a lot of other stuff this way, e.g. imap syncing accounts to new server, etc.
I found out that "auth_debug_passwords=yes" does log passwords (also successful logins) in proxy mode. But it does not in normal imap/pop server mode, or I did something wrong...
It logs something like this: Aug 28 11:13:03 barney dovecot: auth: Debug: client out: OK#0111#011user=marco@example.com#011host=imap.example.com#011nologin#011proxy#011pass=CLEARPASWORD
where CLEARPASWORD is the plain text password.that's pretty much what I need. but using some postlogin script might be the more beautiful way...
thanks you all for the responses.
all the best
On 28.08.2013, at 09:14, Marco Fretz wrote:
On 08/28/2013 09:08 AM, wkaha@yahoo.com wrote:
Hi Marco
when running dovecot -a you will find auth_*
I think you could you auth_verbose_passwords to fit your needs.
thanks. I've already tried this, but it doesn't log the password on successful logins, only when there is password missmatch:
from the conf / manual: " # In case of password mismatches, log the attempted password. Valid values are # no, plain and sha1. sha1 can be useful for detecting brute force password # attempts vs. user simply trying the same password over and over again. #auth_verbose_passwords = no "
any other ideas? :)
all the best
On 28.08.2013, at 08:57, Marco Fretz wrote:
Hi everyone,
I want to use dovecot as a IMAP and POP3 proxy in front of our current E-Mail hosting server to log the plain text passwords of all
successful
logins for migration reasons. Actually I don't need the password to see in plain text, storing them as SHA256-CRYPT (or something dovecot can use later for auth) hash in a file or DB would be fine, too.
I need this for the migration from the current mail server (using proprietary hashing to store passwords) to a new postfix / dovecot base mail system.
I played around with "auth_debug_passwords" and all debug / logging options I found in the manual. Nothing logs successful login plaintext passwords.
Any hint welcome.
Thanks a lot, Marco
participants (2)
-
Marco Fretz
-
wkaha@yahoo.com