[tpop3d-discuss] New features ?

Jakob Hirsch jh at plonk.de
Tue, 3 Dec 2002 01:07:52 +0100


Chris Lightfoot wrote:

>> Well, the wrong password is not logged, only the login. I'd like to
>> have the password too. And I'd prefer to have it logged in a SQL
>> table :)
> I'm afraid I won't put that in the distribution. Too close
> to an invasion of privacy.

Uh, I feel a little bad right now, because we're doing this since ages.
And to make it more evil, the passwords are even written in mail-log:

tpop3d[700]: auth_mysql_new_user_pass: [jakob!revolution.de;
jakob@revolution.de] failed login with wrong password
tpop3d[700]: auth_perl_new_user_pass: (perl code): jakob!revolution.de
is not for oldpopuser_auth (wrong pass "test"?)

It was rather unintentionally, when I migrated from our passwd-style
authentication system with the obligation to allow the people to use
their old user/pass, so I write some perl code to handle this. Logging
wrong passwords was handy for debugging, so I kept it in.

I agree with you to let it out of the main distribution. It's simply not
worth the code. And I see no reason why somebody would want to have them
in a database.
Besides, I don't care about the passwords written in the log. I would
never give anybody file oder shell access to our mailserver.