Steffen Kaiser wrote:
On Wed, 18 Nov 2009, Seth Mattinen wrote:
is there anywhere a web-interface for managing sieve-filters with dovecot?
Beware that dovecot managesieve does not have any kind of security to prevent abuse if you open it to the outside world.
Huh? It has the same security as Dovecot itself: authentification with TLS.
The last time I checked dovecot managesieve has a denial of service potential of no limit to how much disk space it will let sieve consume.
OK, but this is not related to "outside", you need a password to fill the space and take the system down.
So? That doesn't mean every logged in connection will be well behaved.
Even a well meaning user could use a managesieve tool with a bug that brings your server down. Until dovecot managesieve figures out how to add some very basic DOS protection I wouldn't open it up to end users. I haven't looked at the code (too busy) but i can't imagine it would be an impossible task to add a fixed size per script (i.e. a couple megs) and maximum number of allowed scripts (like 50).
~Seth