On Sun, May 18, 2008 at 8:52 AM, Lawrence Sheed < lawrence@computersolutions.cn> wrote:
I'm running 1.0.13
If I run dovecot for a while, I see a /var/run/dotvecot folder created with the following:
drwxr-xr-x 3 root root 4096 2008-05-18 13:30 dotvecot
drwxr-xr-x 3 root root 4096 2008-05-18 13:47 . drwxr-xr-x 18 root root 4096 2008-05-18 13:47 .. srw------- 1 root root 0 2008-05-18 13:47 auth-worker.15138 srwxrwxrwx 1 root root 0 2008-05-18 13:47 dict-server drwxr-x--- 2 root dovecot 4096 2008-05-18 13:47 login -rw------- 1 root root 6 2008-05-18 13:47 master.pid
It appears to be created by imap-login
I've tried removing any dovecot remnants and reinstalling from the 1.0.13 tar.gz from the site. After starting dovecot again after a few minutes the files appear.
What is the problem according to you??? Excuse me for being blind to it if it is really there, but this appears okay to me! In your dovecot.conf, you have the following:
base_dir = /var/run/dotvecot
Given that it's actually your own typo putting that in place, how does that constitute a security hole?:-)
The processes are running something on 6243 and 6244
What are those? tcp ports??? pids??
(Presumably an exploit / login)
Oh, how? Your question is simply not clear to me at all, but that could be because I am not quite an security expert to see the obvious.
I have iptables setup to only allow existing ports in/out so I think thats saved me so far.
I've switched to courier-imap in the interim.
Anyone want to assist in finding out how they are getting in?
Definitely dovecot related. If I don't run dovecot, seems secure. As soon as I run dovecot, after a few minutes - rooted...
???
Lemme watch this in the periphery! I run dovecot-1.0.13 on over 20 hosts so I could be "rooted" as well. However, my setups tell dovecot to listen to ports 110 and 143 only and I have never observed anything strange.
Timo has some good amount of money to offer you if you could prove that there is a security exploit, but I don't see you getting even 0.001% of that amount just with the information you've provided here. Aren't you just being paranoid? Could you please provide more information that can make someone "see" what you are scared of?
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223
"Oh My God! They killed init! You Bastards!" --from a /. post