On 15/12/2021 08:52, Aki Tuomi wrote:
The suggested configuration is good, and although we did some checking to ensure that dovecot escapes the search queries and usernames sent to solr, so it is not trivial to send the JNDI expansion strings to be logged by solr, it is still good idea to set this.
Aki
Agreed, it is worthwhile taking the advised mitigation steps regardless of the escaping done in Dovecot. Reasoning is
escaping may not be 100% foolproof - there are people out there working on bypassing such things
the search string method is not the only attack vector for SOLR. If people have SOLR exposed on an internet host, even if password protected, it doesn't mean to say that SOLR is not logging failed access attempts that can easily contain the attack string.
John