search for: cert_usernam

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has ??? ? trusted certificate with missing username field ??? ? (ssl_cert_username_field), under some configurations Dovecot ??? ? mistakenly trusts the username provided via authentication instead ??? ? of failing. ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH, ??? ? because none of the MTAs (Postfix, Exim) currently send the ??? ? cert_username fiel...

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has ??? ? trusted certificate with missing username field ??? ? (ssl_cert_username_field), under some configurations Dovecot ??? ? mistakenly trusts the username provided via authentication instead ??? ? of failing. ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH, ??? ? because none of the MTAs (Postfix, Exim) currently send the ??? ? cert_username fiel...

...t; </blockquote> <blockquote type="cite"> <div> * CVE-2019-3814: If imap/pop3/managesieve/submission client has </div> <div> trusted certificate with missing username field </div> <div> (ssl_cert_username_field), under some configurations Dovecot </div> <div> mistakenly trusts the username provided via authentication instead </div> <div> of failing. </div> <div> * ssl_cert_username_field setting was ignored w...

...ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net Mar 16 16:51:16 imap-login: Info: Valid certificate: /C=GB/ST=Cheshire/O=ksudra.net/OU=Stephen Feyrer/CN=Stephen Mar 16 16:52:06 auth(default): Info: client in: AUTH 1 EXTERNAL service=imap secured valid-client-cert cert_username=Stephen lip=10.1.1.245 rip=10.1.1.4 lport=993 rport=45379 Mar 16 16:52:06 auth(default): Info: client out: CONT 1 Mar 16 16:52:42 imap-login: Info: Valid certificate: /O=ksudra.net/OU=Ksudra CA/emailAddress=certs at ksudra.net/L=Wilmslow/ST=Cheshire/C=GB/CN=ksudra.net Mar 1...

...Tuomi wrote: > > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig > > * CVE-2019-3814: If imap/pop3/managesieve/submission client has > trusted certificate with missing username field > (ssl_cert_username_field), under some configurations Dovecot > mistakenly trusts the username provided via authentication instead > of failing. > * ssl_cert_username_field setting was ignored with external SMTP AUTH, > because none of the MTAs (Postfix, Exim) currently send the >...

...://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig <https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig> Binary packages in https://repo.dovecot.org/ * CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username fiel...

...://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig <https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig> Binary packages in https://repo.dovecot.org/ * CVE-2019-3814: If imap/pop3/managesieve/submission client has trusted certificate with missing username field (ssl_cert_username_field), under some configurations Dovecot mistakenly trusts the username provided via authentication instead of failing. * ssl_cert_username_field setting was ignored with external SMTP AUTH, because none of the MTAs (Postfix, Exim) currently send the cert_username fiel...

https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has ??? ? trusted certificate with missing username field ??? ? (ssl_cert_username_field), under some configurations Dovecot ??? ? mistakenly trusts the username provided via authentication instead ??? ? of failing. ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH, ??? ? because none of the MTAs (Postfix, Exim) currently send the ??? ? cert_username fiel...

...://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig <https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig> Binary packages in https://repo.dovecot.org/ ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has ??? ? trusted certificate with missing username field ??? ? (ssl_cert_username_field), under some configurations Dovecot ??? ? mistakenly trusts the username provided via authentication instead ??? ? of failing. ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH, ??? ? because none of the MTAs (Postfix, Exim) currently send the ??? ? cert_username fiel...

...reef Aki Tuomi: > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig > > ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has > ??? ? trusted certificate with missing username field > ??? ? (ssl_cert_username_field), under some configurations Dovecot > ??? ? mistakenly trusts the username provided via authentication instead > ??? ? of failing. > ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH, > ??? ? because none of the MTAs (Postfix, Exim) currently send the...

...://dovecot.org/releases/2.3/dovecot-2.3.4.1.tar.gz.sig <https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig> Binary packages in https://repo.dovecot.org/ ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has ??? ? trusted certificate with missing username field ??? ? (ssl_cert_username_field), under some configurations Dovecot ??? ? mistakenly trusts the username provided via authentication instead ??? ? of failing. ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH, ??? ? because none of the MTAs (Postfix, Exim) currently send the ??? ? cert_username fiel...

...ki Tuomi wrote: > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig > > ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has > ??? ? trusted certificate with missing username field > ??? ? (ssl_cert_username_field), under some configurations Dovecot > ??? ? mistakenly trusts the username provided via authentication instead > ??? ? of failing. > ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH, > ??? ? because none of the MTAs (Postfix, Exim) currently send the...

...ps://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz >>> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig >>> ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has >>> ??? ? trusted certificate with missing username field >>> ??? ? (ssl_cert_username_field), under some configurations Dovecot >>> ??? ? mistakenly trusts the username provided via authentication >>> instead >>> ??? ? of failing. >>> ??? * ssl_cert_username_field setting was ignored with external SMTP >>> AUTH, >>> ??? ? beca...

...reef Aki Tuomi: > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz > https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig > > ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has > ??? ? trusted certificate with missing username field > ??? ? (ssl_cert_username_field), under some configurations Dovecot > ??? ? mistakenly trusts the username provided via authentication instead > ??? ? of failing. > ??? * ssl_cert_username_field setting was ignored with external SMTP AUTH, > ??? ? because none of the MTAs (Postfix, Exim) currently send the...

...https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz >> https://dovecot.org/releases/2.2/dovecot-2.2.36.1.tar.gz.sig >> >> ??? * CVE-2019-3814: If imap/pop3/managesieve/submission client has >> ??? ? trusted certificate with missing username field >> ??? ? (ssl_cert_username_field), under some configurations Dovecot >> ??? ? mistakenly trusts the username provided via authentication >> instead >> ??? ? of failing. >> ??? * ssl_cert_username_field setting was ignored with external SMTP >> AUTH, >> ??? ? because none of the MTAs...

...there is no additional password verification, this allows the attacker to login as anyone else in the system. This affects only installations using: auth_ssl_require_client_cert = yes auth_ssl_username_from_cert = yes Attacker must also have access to a valid trusted certificate without the ssl_cert_username_field in it. The default is commonName, which almost certainly exists in all certificates. This could happen for example if ssl_cert_username_field is a field that normally doesn't exist, and attacker has access to a web server's certificate (and key), which is signed with the same CA. At...

Hello everyone. I'm switching to dovecot from courier-imap and after some problems with Apple Mail client, now everything seems to be fine. The only problem that I have not solved yet is to check also the service (pop3, pop3s, imap, imaps) in the authentication phase. In courier-authlib I do this: MYSQL_SELECT_CLAUSE SELECT username, \ password, \

...L=W/ST=C/C=G/CN=h.org dovecot: May 25 11:56:08 Info: imap-login: Valid certificate: /C=G/ST=C/O=h.org/OU=K F/CN=k dovecot: May 25 11:56:10 Info: auth(default): new auth connection: pid=22585 dovecot: May 25 11:56:16 Info: auth(default): client in: AUTH 1 PLAIN service=imap secured valid-client-cert cert_username=k lip=10.1.1.245 rip=10.1.1.1 lport=993 rport=53430 dovecot: May 25 11:56:16 Info: auth(default): client out: CONT 1 dovecot: May 25 11:56:16 Info: auth(default): client in: CONT<hidden> dovecot: May 25 11:56:16 Info: auth(default): passwd-file(k,10.1.1.1): lookup: user=k file=/opt/etc/dove...

...> <https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig> > > Binary packages in https://repo.dovecot.org/ > > > > * CVE-2019-3814: If imap/pop3/managesieve/submission client has > > trusted certificate with missing username field > > (ssl_cert_username_field), under some configurations Dovecot > > mistakenly trusts the username provided via authentication instead > > of failing. > > * ssl_cert_username_field setting was ignored with external SMTP AUTH, > > because none of the MTAs (Postfix, Exim) cur...

...> <https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig> > > Binary packages in https://repo.dovecot.org/ > > > > * CVE-2019-3814: If imap/pop3/managesieve/submission client has > > trusted certificate with missing username field > > (ssl_cert_username_field), under some configurations Dovecot > > mistakenly trusts the username provided via authentication instead > > of failing. > > * ssl_cert_username_field setting was ignored with external SMTP AUTH, > > because none of the MTAs (Postfix, Exim) cur...