3 Jul
2014
3 Jul
'14
10:50 p.m.
On 20.5.2014, at 22.49, Andreas Schulze <sca@andreasschulze.de> wrote:
Jiri Bourek:
Well they seem to know what they are talking about. The description of the threat in linked screenshot says "attacker needs to have ability to submit any plain text"
I wrote the attached patch to add SSL_OP_NO_COMPRESSION to dovecot. Looks not perfect but definitly works.
Added a Postfix-like ssl_options setting: http://hg.dovecot.org/dovecot-2.2/rev/cea292767b95
But now I'm wondering if no-compression should be enabled by default?..