> Network Working Group M. Gahrns > Request for Comments: 2221 Microsoft > Category: Standards Track October 1997 > > IMAP4 Login Referrals...> 6. Security Considerations > > The IMAP4 login referral mechanism makes use of IMAP URLs, and as > such, have the same security considerations as general internet URLs > [RFC-1738], and in particular IMAP URLs [IMAP-URL]. > > A server MUST NOT give a login referral if authentication for that > user fails. This is to avoid revealing information about the user's > account to an unauthorized user. > > With the LOGIN-REFERRALS capability, it is potentially easier to > write a rogue 'password catching' server that collects login data and > then refers the client to their actual IMAP4 server. Although > referrals reduce the effort to write such a server, the referral > response makes detection of the intrusion easier.
>From /opt/src/dovecot-2.2.19/doc/wiki/PasswordDatabase.ExtraFields.Host.txt > Login referrals are an IMAP extension specified by RFC 2221 > [http://www.apps.ietf.org/rfc/rfc2221.html]. They're not supported by many > clients, so you probably don't want to use them normally.Right.> The following clients are known to support login referrals: > > * Pine > * Outlook (but not Outlook Express)We use neither.> Login referrals are used only if the proxy field isn't set.We want neither LOGIN-REFERRALS nor proxy. Dovecot's configure includes the following by default:> capability_banner="IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID > ENABLE IDLE"If the extension is simply hidden from the banner, an attacker could still use the extension. If one removes the string from the banner above, one merely hides the extension name in the banner, or also disables the extension's engine?
On 12/03/2015 01:46 PM, sb wrote:> From /opt/src/dovecot-2.2.19/doc/wiki/PasswordDatabase.ExtraFields.Host.txt >> Login referrals are an IMAP extension specified by RFC 2221 >> [http://www.apps.ietf.org/rfc/rfc2221.html]. They're not supported by >> many >> clients, so you probably don't want to use them normally. > Right. >> The following clients are known to support login referrals: >> >> * Pine >> * Outlook (but not Outlook Express) > We use neither. >> Login referrals are used only if the proxy field isn't set. > We want neither LOGIN-REFERRALS nor proxy. > > Dovecot's configure includes the following by default: >> capability_banner="IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID >> ENABLE IDLE" > If the extension is simply hidden from the banner, an attacker could > still use the extension.If the connection is SSL/TLS encrypted, the attacker can't add/modify login referrals. If it's not encrypted, the attacker could just as well insert the LOGIN-REFERRALS to the CAPABILITY reply if it didn't exist there.> If one removes the string from the banner above, one merely hides the > extension name > in the banner, or also disables the extension's engine?As long as Dovecot doesn't return any login-referrals (which it doesn't by default), I don't see why having LOGIN-REFERRALS in the CAPABILITY reply would matter.