On Thu, 2008-11-13 at 15:57 +0200, Timo Sirainen wrote:
On Nov 13, 2008, at 1:03 PM, Michal Hlavinka wrote:
Hi,
we're trying to solve CVE-2008-4870 = rhbz#436287 = dovecot.conf is
world readable - possible password exposure.This problem seems to be little more complicated than we thought.
dovecot.conf can contain passphrase for ssl key, which is available
for everyone since dovecot.conf has world readable permissions.Maybe a new separate dovecot-secret.conf? When Dovecot starts up it
first reads dovecot.conf and after that dovecot-secret.conf. deliver
wouldn't read dovecot-secret.conf at all.
Added !include and !include_try: http://hg.dovecot.org/dovecot-1.1/rev/5f471f5b06d2 http://hg.dovecot.org/dovecot-1.1/rev/313d1195318f
deliver will currently just skip !include_try lines and gives an error if !include is tried to be used. So for now it's not a good idea to start using !include in default settings. :)