[Dovecot] dovecot: disable ssl compression
Timo Sirainen
tss at iki.fi
Thu Jul 3 19:50:59 UTC 2014
On 20.5.2014, at 22.49, Andreas Schulze <sca at andreasschulze.de> wrote:
> Jiri Bourek:
>> Well they seem to know what they are talking about. The description
>> of the threat in linked screenshot says "attacker needs to have
>> ability to submit any plain text"
>
> I wrote the attached patch to add SSL_OP_NO_COMPRESSION to dovecot.
> Looks not perfect but definitly works.
Added a Postfix-like ssl_options setting: http://hg.dovecot.org/dovecot-2.2/rev/cea292767b95
But now I'm wondering if no-compression should be enabled by default?..
More information about the dovecot
mailing list