[Dovecot] Web-Interface for Dovecot-Sieve?
Seth Mattinen
sethm at rollernet.us
Wed Nov 18 19:40:33 EET 2009
Steffen Kaiser wrote:
> On Wed, 18 Nov 2009, Seth Mattinen wrote:
>
>>>>> is there anywhere a web-interface for managing sieve-filters with
>>>>> dovecot?
>>>
>>>> Beware that dovecot managesieve does not have any kind of security to
>>>> prevent abuse if you open it to the outside world.
>>>
>>> Huh?
>>> It has the same security as Dovecot itself: authentification with TLS.
>
>> The last time I checked dovecot managesieve has a denial of service
>> potential of no limit to how much disk space it will let sieve consume.
>
> OK, but this is not related to "outside", you need a password to fill
> the space and take the system down.
>
So? That doesn't mean every logged in connection will be well behaved.
Even a well meaning user could use a managesieve tool with a bug that
brings your server down. Until dovecot managesieve figures out how to
add some very basic DOS protection I wouldn't open it up to end users. I
haven't looked at the code (too busy) but i can't imagine it would be an
impossible task to add a fixed size per script (i.e. a couple megs) and
maximum number of allowed scripts (like 50).
~Seth
More information about the dovecot
mailing list