[Dovecot] Web-Interface for Dovecot-Sieve?

Seth Mattinen sethm at rollernet.us
Wed Nov 18 19:40:33 EET 2009


Steffen Kaiser wrote:
> On Wed, 18 Nov 2009, Seth Mattinen wrote:
> 
>>>>> is there anywhere a web-interface for managing sieve-filters with
>>>>> dovecot?
>>>
>>>> Beware that dovecot managesieve does not have any kind of security to
>>>> prevent abuse if you open it to the outside world.
>>>
>>> Huh?
>>> It has the same security as Dovecot itself: authentification with TLS.
> 
>> The last time I checked dovecot managesieve has a denial of service
>> potential of no limit to how much disk space it will let sieve consume.
> 
> OK, but this is not related to "outside", you need a password to fill
> the space and take the system down.
> 

So? That doesn't mean every logged in connection will be well behaved.

Even a well meaning user could use a managesieve tool with a bug that
brings your server down. Until dovecot managesieve figures out how to
add some very basic DOS protection I wouldn't open it up to end users. I
haven't looked at the code (too busy) but i can't imagine it would be an
impossible task to add a fixed size per script (i.e. a couple megs) and
maximum number of allowed scripts (like 50).

~Seth


More information about the dovecot mailing list