How do we disable LOGIN-REFERRALS? (part 2)
Timo Sirainen
tss at iki.fi
Thu Dec 3 12:32:50 UTC 2015
On 12/03/2015 01:46 PM, sb wrote:
> From /opt/src/dovecot-2.2.19/doc/wiki/PasswordDatabase.ExtraFields.Host.txt
>> Login referrals are an IMAP extension specified by RFC 2221
>> [http://www.apps.ietf.org/rfc/rfc2221.html]. They're not supported by
>> many
>> clients, so you probably don't want to use them normally.
> Right.
>> The following clients are known to support login referrals:
>>
>> * Pine
>> * Outlook (but not Outlook Express)
> We use neither.
>> Login referrals are used only if the proxy field isn't set.
> We want neither LOGIN-REFERRALS nor proxy.
>
> Dovecot's configure includes the following by default:
>> capability_banner="IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID
>> ENABLE IDLE"
> If the extension is simply hidden from the banner, an attacker could
> still use the extension.
If the connection is SSL/TLS encrypted, the attacker can't add/modify
login referrals. If it's not encrypted, the attacker could just as well
insert the LOGIN-REFERRALS to the CAPABILITY reply if it didn't exist there.
> If one removes the string from the banner above, one merely hides the
> extension name
> in the banner, or also disables the extension's engine?
As long as Dovecot doesn't return any login-referrals (which it doesn't
by default), I don't see why having LOGIN-REFERRALS in the CAPABILITY
reply would matter.
More information about the dovecot
mailing list