[Dovecot] Are host names a secret?

Pedro Lourenco Venda pjvenda at pjvenda.org
Fri Jul 17 12:19:12 EEST 2009


On Thu, Jul 16, 2009 at 11:19 PM, Timo Sirainen<tss at iki.fi> wrote:
> On Fri, 2009-07-17 at 00:12 +0200, Axel Luttgens wrote:
>> > With large installations with multiple servers that could allow user
>> > to
>> > see e.g. if they're on the same server as someone else they know, or
>> > when they get moved to a different servers, etc.. But is this a real
>> > issue? Maybe not.
>>
>> I tend to agree with the latter.
>> First, hiding the info would tend towards security through obscurity.
>> Second, it is very likely that the info would anyway be leaked through
>> some other parts of the transport layers.
>> Third, one may hope that the security of smtp/imap/pop softwares
>> doesn't depend on the availability of such info. ;-)
>
> It's not really about the security, but more about exposing some
> information that maybe the IMAP service provider would have preferred if
> you didn't know about.

If I may chip in my opinion:

Information disclosure *is* a security problem. And this trend is
increasing as systems tend to become more secure and direct break ins
are tougher and tougher. So attackers resort to weaker links - people.

When confronted with a choice of disclosing information or not
(provided that the functionality level is the same, of course, and
that the protocol standards are being followed) I see no reason to
disclose it. It is just about following good practice.

At the end of the day, and in this case, the impact of disclosing this
information is pretty close to 0.

Unfortunately I'm no longer a sysadmin and I don't know if "my" hosted
multi-[virtual]-domain postfix/ldap/dovecot installations are still
running, but I haven't yet found the reason to go back to other
software.

Cheers,
Pedro.


More information about the dovecot mailing list