Avoiding logging password when dict lookup fails
Geo Mander
geomandering at gmail.com
Tue May 26 14:25:11 EEST 2020
I've made a unix-socket auth setup, by looking at the examples here:
https://doc.dovecot.org/configuration_manual/authentication/dict/#complete-example-for-authenticating-via-a-unix-socket
I need to ship the plain password to the socket as well, so i have simply
added %w to the lookup key, like so:
key = passdb/U=%u P=%w
My problem is, that if the socket connection is down for whatever reason,
dovecot will write the entire message above - including the plaintext
password - into the logfile.
---
May 25 11:17:48 imap-1 dovecot: auth-worker(32690): Error: dict-client:
Lookup 'shared/passdb/U=john.doe at example.com P=john123 failed:
net_connect_unix(/var/run/dovecot/doveauthdsocket) failed: Connection
refused (reply took 0.000 secs (0.000 in dict wait, 0.000 in other ioloops,
0.000 in locks))
May 25 11:17:48 imap-1 dovecot: auth-worker(32690): Error: dict(
john.doe at example.com,8.8.4.4,<Px/Ic3WmsNhb7s1N>): Failed to lookup key
shared/passdb/U=john.doe at example.com P=john123
--
Can i disable dict client logging? Or can i structure my dict request in a
different way to avoid this logging, while still getting the complete
user-name and plaintext password shipped over the socket?
$ dovecot --version
2.2.36 (1f10bfa63)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20200526/e6fef7e0/attachment.html>
More information about the dovecot
mailing list