ok, fyi: I have now also tested/confirmed this, while looking at the logs, and indeed: Even when the connection is denied because of a wrong password, the message "Allowing any password" is showing up in the logs. Perhaps it is because we have set debug options:> auth_debug = yes > auth_debug_passwords = yes > auth_verbose = yesIt would be nice if the "Allowing any password" could be rephrased, or taken out. It really had me scared for a while. Thanks Aki, MJ
On 2018-03-21 (14:15 MDT), mj <lists at merit.unu.edu> wrote:> > Even when the connection is denied because of a wrong password, the message "Allowing any password" is showing up in the logs.The question is does it allow remote users to login with no password? If not, then the message ie nearly notification that login without a password is potentially possible. I have no idea why you would have nopassword=y set in the first place, so it seems the simplest way to eliminate this problem is to take that out and have a secure environment for sending mail. -- They say whisky'll kill you, but I don't think it will I'm ridin' with you to the top of the hill
On 03/21/2018 10:34 PM, @lbutlr wrote:> The question is does it allow remote users to login with no password?Yes, and the answer is: no.> If not, then the message ie nearly notification that login without a password is potentially possible.Yes, but a worrying one. That's why i decided to post here.> I have no idea why you would have nopassword=y set in the first place, so it seems the simplest way to eliminate this problem is to take that out and have a secure environment for sending mail.Yes, however, for SOGo with Native Outlook compatibility or SAML logon, the config is required. (https://sogo.nu/files/docs/v2/SOGoNativeOutlookConfigurationGuide.html) Thanks, MJ