Incorrect authentication data template

R

reder

Verified User
Joined
Oct 16, 2011
Messages
10
Hi,

On /var/log/exim/mainlog files some times giving;
login authenticator failed for (WIN-1C569HATHE0) [x.x.x.x]: 535 Incorrect authentication data (set_id=xxx)
login authenticator failed for (WIN-1C569HATHE0) [x.x.x.x]: 535 Incorrect authentication data (set_id=xxx)
login authenticator failed for (WIN-1C569HATHE0) [x.x.x.x]: 535 Incorrect authentication data (set_id=xxx)

error and i want to see user tryed which password how can i change this log template ? for example i want to see log like this;

login authenticator failed for (WIN-1C569HATHE0) [x.x.x.x]: 535 Incorrect authentication data (set_id=xxx, setted_paswd=123123)
login authenticator failed for (WIN-1C569HATHE0) [x.x.x.x]: 535 Incorrect authentication data (set_id=xxx, setted_paswd=113asda)
login authenticator failed for (WIN-1C569HATHE0) [x.x.x.x]: 535 Incorrect authentication data (set_id=xxx, setted_paswd=xx1312)

Thanks for help.
 
Hello,

The most important thing to do is to set auth_debug=yes, and preferrably also auth_debug_passwords=yes. After that you'll see in the logs exactly what dovecot-auth is doing, and that should help you to fix the problem.

Taken from here: http://wiki2.dovecot.org/Debugging/Authentication

I'm not sure whether or not it will display passwords, just try it and update us with results.
 
Hi, thanks for help.

I just changed

/etc/dovecot/dovecot.conf

Code: 
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes
lines;

and;
Code: 
service dovecot restart
service exim restart

But still not showing password. What i'm missing ?
 
I did not say that it definetely would show passwords. Why do you think it will show them? If your example was not based on what dovecot can do, then you should probably use tcpdump or other software to capture passwords (sniffers: wireshark, tshark).
 
zEitEr said:
I did not say that it definetely would show passwords. Why do you think it will show them? If your example was not based on what dovecot can do, then you should probably use tcpdump or other software to capture passwords (sniffers: wireshark, tshark).
Click to expand...

Hi,

Wireshark, thsark doesn't show clearly password because ssl.

I think it must be a way for it if show username on log files can be show password too.. thanks for help.
 
The password is actually being logged with those 2 options, like it says in that wiki. But it's in base64 which you simply have to decode.

For example:
Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011session=8TD2xTH04AB/AAAB#011lip=127.0.0.1#011rip=127.0.0.1#011lport=143#011rport=40160#011resp=AGFzZAAxMjM= (previous base64 data may contain sensitive data)
Click to expand...

The AGFzZAAxMjM= part results in asd 123 which is the user and pass I entered in roundcube.
 
You must log in or register to reply here.
Back
Top