similar to: Secure coding guide

Timo Sirainen <tss at iki.fi> wrote: > On 9 Jul 2018, at 16.49, Andrzej A. Filip <andrzej.filip at gmail.com> wrote: >> >> Is it intended behavior? > > No. > >> It seems to be caused by upgrade to 1:2.3.2-2 on Debian/Testing. > > What was the old version? What's your doveconf -n? How are you testing > that it's not working? It seems that

Op 11-1-2019 om 10:53 schreef Marc Weustink: > Hi all, > > Andrzej A. Filip wrote: >> Timo Sirainen <tss at iki.fi> wrote: >>> On 9 Jul 2018, at 16.49, Andrzej A. Filip <andrzej.filip at gmail.com> >>> wrote: >>>> >>>> Is it intended behavior? >>> >>> No. >>> >>>> It seems to be caused by

I had originally thought that I'd do a complete audit of the Dovecot's sources this weekend, but looks like I didn't. Hopefully I've been writing good enough code that the "1000 EUR for security hole" offer lasts for a long time. :) This release should fix the SSL parameter regeneration problem. There were two changes that were needed to fix it, but I had forgotten the

I'm trying to use this to test an IMAP server I'm developing (I picked the nightly up from the link on the wiki page at http://www.imapwiki.org/ImapTest/Installation). With one client using the mailbox dovecot-crlf (http://www.dovecot.org/tmp/dovecot-crlf) I get messages like: Error: test at npsl.co.uk[67]: 1035253882.5041.34.camel at hurina: Header From changed 'Timo Sirainen

http://dovecot.org/releases/2.2/dovecot-2.2.5.tar.gz http://dovecot.org/releases/2.2/dovecot-2.2.5.tar.gz.sig So, I'm back from the first vacation I've had in about 10 years. (Well, maybe there were a few short ones.) I was planning on coding it the whole time, but looks like I didn't manage to get anything at all done. Maybe that's a good vacation?.. Anyway, I've still a few

http://dovecot.org/releases/2.2/dovecot-2.2.5.tar.gz http://dovecot.org/releases/2.2/dovecot-2.2.5.tar.gz.sig So, I'm back from the first vacation I've had in about 10 years. (Well, maybe there were a few short ones.) I was planning on coding it the whole time, but looks like I didn't manage to get anything at all done. Maybe that's a good vacation?.. Anyway, I've still a few

http://dovecot.org/releases/1.2/dovecot-1.2.8.tar.gz http://dovecot.org/releases/1.2/dovecot-1.2.8.tar.gz.sig This is mainly to fix the 0777 base_dir creation issue, which could be considered a security hole, exploitable by local users. An attacker could for example replace Dovecot's auth socket and log in as other users. Gaining root privileges isn't possible though. This affects only

http://dovecot.org/releases/1.2/dovecot-1.2.8.tar.gz http://dovecot.org/releases/1.2/dovecot-1.2.8.tar.gz.sig This is mainly to fix the 0777 base_dir creation issue, which could be considered a security hole, exploitable by local users. An attacker could for example replace Dovecot's auth socket and log in as other users. Gaining root privileges isn't possible though. This affects only

Should be fixed by https://github.com/dovecot/core/commit/a952e178943a5944255cb7c053d970f8e6d49336 <https://github.com/dovecot/core/commit/a952e178943a5944255cb7c053d970f8e6d49336> -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180606/996cfe38/attachment.html>

v0.99.11 2004-09-04 Timo Sirainen <tss at iki.fi> + 127.* and ::1 IP addresses are treated as secured with disable_plaintext_auth = yes + auth_debug setting for extra authentication debugging + Some documentation and error message updates + Create PID file in /var/run/dovecot/master.pid + home setting is now optional in static userdb + Added mail setting to static userdb - After

Whilst debugging a problem in dovecot LDA over the last few days, I came across two different issues in coding techniques. (Note: Please don't take this negatively; my intent is both positive and constructive!) The front page of the website www.dovecot.org says: "it uses several coding techniques to avoid most of the common pitfalls" So I hope it is OK to follow the spirit of

Mozilla sponsored source code audit for Dovecot. So thanks to them we have our first public code audit: https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#dovecot Dates: October 2016 - January 2017 dovecot is a POP and IMAP mailserver; it is used in 68% of IMAP server deployments worldwide. The audit was performed by Cure53. The team found the following problems: ? 3 Low The Cure53

It works for me. I don't know why it wouldn't work for you. Looking at the autoindexing code I don't see how it could be possible that it works for saving but not copying. > On 10 Sep 2015, at 21:05, Larry Rosenman <larryrtx at gmail.com> wrote: > > Is there a fix coming for this, Timo? Or is it a longer term issue? > > On Mon, Sep 7, 2015 at 5:23 PM, Larry

It doesn't in my current 2.2.18 setup with the config I posted. On Mon, Sep 7, 2015 at 5:22 PM, Timo Sirainen <tss at iki.fi> wrote: > It should. > > On 08 Sep 2015, at 01:01, Larry Rosenman <larryrtx at gmail.com> wrote: > > should fts_autoindex handle that case? > > > On Mon, Sep 7, 2015 at 5:00 PM, Timo Sirainen <tss at iki.fi> wrote: >

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 23 Jun 2015, lejeczek wrote: > On 23/06/15 09:32, Steffen Kaiser wrote: >> On Mon, 22 Jun 2015, lejeczek wrote: >>> On 22/06/15 09:43, Steffen Kaiser wrote: >>>> On Mon, 22 Jun 2015, lejeczek wrote: >>>>> On 22/06/15 09:16, lejeczek wrote: >>>>>> >>>>>> to=<me

A patch has been proposed for SpamAssassin to process Maildir folders of spam: <https://issues.apache.org/SpamAssassin/show_bug.cgi?id=3003> Is this patch compatible with Dovecot's implementation of Maildir? For example, is anything needed to avoid stepping on Dovecot's metadata?

I've been once in a while over the years thinking about implementing CalDAV (and CardDAV) to Dovecot. It might be time to start that soon. Does anyone have any suggestions? So far my main goals would be: - scalable, of course - configurable storage (object storage, regular fs, maybe some key-value dbs, maybe storing as emails) - efficient indexes (potentially using key-value dbs? or maybe

On 28 Apr 2015, at 11:35, Timo Sirainen <tss at iki.fi> wrote: > > On 28 Apr 2015, at 04:15, Edwardo Garcia <wdgarc88 at gmail.com> wrote: >> When can we expect 2.2.17 to resolve this? > > As far as I know this doesn't affect any of the major distributions where Dovecot is commonly used (Debian/Ubuntu/Redhat/CentOS). I've only heard it happening with some

http://dovecot.org/releases/1.1/dovecot-1.1.14.tar.gz http://dovecot.org/releases/1.1/dovecot-1.1.14.tar.gz.sig http://dovecot.org/releases/1.2/rc/dovecot-1.2.rc3.tar.gz http://dovecot.org/releases/1.2/rc/dovecot-1.2.rc3.tar.gz.sig Fixed lots of bugs in v1.2 related to shared mailboxes and virtual mailboxes. Keep on testing and sending bug reports and hopefully we'll get v1.2.0 release out

http://dovecot.org/releases/1.1/dovecot-1.1.14.tar.gz http://dovecot.org/releases/1.1/dovecot-1.1.14.tar.gz.sig http://dovecot.org/releases/1.2/rc/dovecot-1.2.rc3.tar.gz http://dovecot.org/releases/1.2/rc/dovecot-1.2.rc3.tar.gz.sig Fixed lots of bugs in v1.2 related to shared mailboxes and virtual mailboxes. Keep on testing and sending bug reports and hopefully we'll get v1.2.0 release out