Todd Lyons <tlyons@???> said
(on Thu, Sep 12, 2013 at 11:47:22AM -0700):
> 2013-09-12 18:05:37 plain authenticator failed for tlyons.ivenue.net
> (tlyons) [192.168.100.166]: 535 Incorrect authentication data
> (set_id=me2@???)
You may have thought of this, but a note of caution:
if the user has accidentally put the password in the username field,
or perhaps the client/server are out of sync, you might be logging a plaintext password.
How about logging a hash of the potential username instead, e.g., in your log_message/logwrite:
${hmac{sha1}{seekrit}{$authenticated_fail_id}}
If you need to lookup those hashes, you could use something like:
for username in user1@dom user2@dom user3@dom; do
exim -be '${hmac{sha1}{seekrit}{'$username'}}'
done
That way, you'll only find your usernames: passwords remain obscured.
Just a thought.
--
Geraint Edwards (aka "Gedge")
