|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: SASL for fun and profit
From: Wietse Venema (wietse
porcupine.org)Date: Tue May 16 2000 - 18:35:31 CDT
- Next message: Rask Ingemann Lambertsen: "Re: Skipping the primary MX record"
- Previous message: Wietse Venema: "Re: SASL for fun and profit"
- In reply to: Ari Gordon-Schlosberg: "Re: SASL for fun and profit"
- Next in thread: Liviu Daia: "Re: SASL for fun and profit"
- Reply: Wietse Venema: "Re: SASL for fun and profit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ari Gordon-Schlosberg:
> [Wietse Venema <wietseporcupine.org>]
> > Ari Gordon-Schlosberg:
> > > [Wietse Venema <wietseporcupine.org>]
> > > > > (5) When using verbose logging (f.i. with $debug_peer_list) the password
> > > > > is written to the logs in clear text. Not a huge security issue,
> > > > > but still.
> > > >
> > > > That can't change. The verbose log is for debugging. Having
> > > > to run gdb on the running process is too intrusive.
> > >
> > > Perhaps there should be a warning about this in the SASL documentation.
> >
> > Oh, come on. Warning, hot water is hot. No-one is supposed to use
> > verbose logging unless absolutely necessary.
>
> Fair enough. But in this case, it may be more than just hot water, perhaps
> it's live steam. It's not often that passwords show up in system logs.
My definition of system logging is ROUTINE system logging.
Postfix verbose logging IS NOT routine logging.
Wietse
- Next message: Rask Ingemann Lambertsen: "Re: Skipping the primary MX record"
- Previous message: Wietse Venema: "Re: SASL for fun and profit"
- In reply to: Ari Gordon-Schlosberg: "Re: SASL for fun and profit"
- Next in thread: Liviu Daia: "Re: SASL for fun and profit"
- Reply: Wietse Venema: "Re: SASL for fun and profit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]