Join Log in
Score:0
Payomeke avatar Server

Removing plain passwords from auth.log

lb flag
Payomeke

I'm using some docker images to deploy a mail server (https://github.com/docker-mailserver/docker-mailserver). The MTA is postfix, with TLS configuration and using LDAP for login. I can login to the SMTP server and send emails but is showing the login password in plain text in auth.log

Jul 26 10:57:01 mail saslauthd[979]:                 : num_procs  : 5
Jul 26 10:57:01 mail saslauthd[979]:                 : mech_option: kopano_gateway
Jul 26 10:57:01 mail saslauthd[979]:                 : run_path   : /var/run/saslauthd
Jul 26 10:57:01 mail saslauthd[979]:                 : auth_mech  : rimap
Jul 26 10:57:01 mail saslauthd[979]:                 : using accept lock file: /var/run/saslauthd/mux.accept
Jul 26 10:57:01 mail saslauthd[979]:                 : master pid is: 0
Jul 26 10:57:01 mail saslauthd[979]:                 : listening on socket: /var/run/saslauthd/mux
Jul 26 10:57:01 mail saslauthd[979]:                 : using process model
Jul 26 10:57:01 mail saslauthd[979]:                 : forked child: 986
Jul 26 10:57:01 mail saslauthd[979]:                 : forked child: 987
Jul 26 10:57:01 mail saslauthd[979]:                 : forked child: 988
Jul 26 10:57:01 mail saslauthd[979]:                 : forked child: 989
Jul 26 10:57:01 mail saslauthd[979]:                 : acquired accept lock
Jul 26 10:57:36 mail saslauthd[979]:                 : released accept lock
Jul 26 10:57:36 mail saslauthd[979]: auth_rimap: sending saslauthd LOGIN "user1" "password"
Jul 26 10:57:36 mail saslauthd[979]: auth_rimap: sending saslauthd LOGOUT
Jul 26 10:57:36 mail saslauthd[979]: auth_rimap: [user1] saslauthd OK [CAPABILITY IMAP4rev1 LITERAL+ CHILDREN XAOL-OPTION NAMESPACE QUOTA IDLE] LOGIN completed
Jul 26 10:57:36 mail saslauthd[979]:                 : auth success: [user=user1] [service=imap] [realm=] [mech=rimap]

I could edit rsyslog.conf and change the line

auth,authpriv.*         /var/log/auth.log

by

auth,authpriv.*         /dev/null

but I would like to have auth.log not showing the passwords. I suppose I could change config in /etc/supervisor/conf.d/saslauth.conf because it seems like saslauthd commands are being exec with flag -d (debug) by default:

[program:saslauthd_rimap]
startsecs=0
autostart=false
autorestart=true
stdout_logfile=/var/log/supervisor/%(program_name)s.log
stderr_logfile=/var/log/supervisor/%(program_name)s.log
command=/usr/sbin/saslauthd -d -a rimap -r -O %(ENV_SASLAUTHD_MECH_OPTIONS)s
pidfile=/var/run/saslauthd/saslauthd.pid

but if I try to mount that file in the docker-compose.yml, with the -d flag removed, saslauthd can't start properly:

/home/admin/postfix/saslauth.conf:/etc/supervisor/conf.d/saslauth.conf

Jul 26 11:58:44 mail saslauthd[3373]:                 : Cannot start saslauthd
Jul 26 11:58:44 mail saslauthd[3373]:                 : Another instance of saslauthd is currently running
Jul 26 11:58:45 mail saslauthd[3378]:                 : could not lock pid file /var/run/saslauthd/saslauthd.pid: Resource temporarily unavailable

Is it any way to disable debug mode for saslauthd in a docker container using environment variables or something? Or what would be the right way to hide passwords in auth.log?

54
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.