Syncroton does not log failed login attempts to /var/log/kolab-syncroton/userlogins, if the user name does exist. In constrast to that, a log entry is emitted, if the user name does not exist.
Reproducing is easy:
- Go to https://testconnectivity.microsoft.com/
- Select "Exchange ActiveSync", fill out the next page - but enter valid user name with a wrong password.
- No entry in the userlogins file is created.
That opens the door to brute force attacks when the user name is known.