Hello, Using stunnel will encrypt your traffic over the net, which is probably where you should be most concerned about. Dbmail itsself gets the plaintext password so it can hash it and compare that to what's in the database; with a high logging level it logs all commands, including LOGIN. You just need to turn down the logging a little. Additionally, it could be a nice feature to block those out of log messages, and you could use the bug tracker to request that, but I don't know offhand if anyone would take the time to impliment it or not (ie. it'd be pretty low priority).
---- Original Message ---- From: Lorna Sanchez M. <[email protected]> To: [email protected] Subject: [Dbmail] plain text passwords in the mail log Sent: Wed, 6 Apr 2005 12:35:14 -0500 > Hello! > > First of all, THANKS to everybody that have answered my previous posts!!!! ;) > > Ok, the question: I noticed that dbmail logs to the maillog. When a > user logs in, this is what I get: > Apr 6 12:10:33 localhost dbmail/imap4d[3075]: COMMAND: [A001 LOGIN > "user" "pass"] > > where "pass" is the plain text password of the user! So I tought, "if > I use SSL (specifically stunnel 4) for imap, the password is not going > to show in the logs". But stunnel for imap is working and the password > still shows! > > Maybe I've been barking at the wrong tree, meaning that I tought > stunnel will fix this and it doesn't. Does anybody knows the solution > for this? > > Thanks a LOT! > > Cheers! > > Lorna. > _______________________________________________ > Dbmail mailing list > [email protected] > https://mailman.fastxs.nl/mailman/listinfo/dbmail > -- End Original Message -- -- Jesse Norell jesse @ kci.net
