Hi, A week ago I submitted an early patch, please ignore it. The patch attached to this email has been tested and seems to work for me. I have also attached instead of inline to solve problems with spaces/tabs. The patch will, on systems that have libcap support, drop capabilities that Dovecot doesn't need. For example there is no need for CAP_SYS_MODULE, which enables module loading or CAP_SYS_PTRACE/CAP_SYS_ADMIN/etc. If libcap isn't installed then nothing will change, this is a compile-time only enhancement that isn't configurable. Personally I did not find that CAP_SYS_CHROOT was needed in order for me to authenticate and access my mailbox, but I haven't configured anything special with chrooting (yet). I added it because I see chroot() is used in src/lib/restrict-access.c. The patch was generated against 1.0-rc24 and tested with clients imp and Thunderbird. My configuration uses a virtual passdb, requires TLS for AUTH and exports auth-master under a different account. All of this appears to work correctly. I'd appreciate any comments, perhaps this will help safeguard the 1000EUR on non-hardened systems :) David -------------- next part -------------- A non-text attachment was scrubbed... Name: dovecot-add-capability-dropping.patch Type: text/x-patch Size: 1829 bytes Desc: not available URL: <dovecot.org/pipermail/dovecot/attachments/20070227/f6757402/attachment-0002.bin>