On 12/03/2015 01:46 PM, sb wrote:
From /opt/src/dovecot-2.2.19/doc/wiki/PasswordDatabase.ExtraFields.Host.txt
Login referrals are an IMAP extension specified by RFC 2221 [http://www.apps.ietf.org/rfc/rfc2221.html]. They're not supported by many clients, so you probably don't want to use them normally. Right. The following clients are known to support login referrals:
- Pine
- Outlook (but not Outlook Express) We use neither. Login referrals are used only if the proxy field isn't set. We want neither LOGIN-REFERRALS nor proxy.
Dovecot's configure includes the following by default:
capability_banner="IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE" If the extension is simply hidden from the banner, an attacker could still use the extension.
If the connection is SSL/TLS encrypted, the attacker can't add/modify login referrals. If it's not encrypted, the attacker could just as well insert the LOGIN-REFERRALS to the CAPABILITY reply if it didn't exist there.
If one removes the string from the banner above, one merely hides the extension name in the banner, or also disables the extension's engine?
As long as Dovecot doesn't return any login-referrals (which it doesn't by default), I don't see why having LOGIN-REFERRALS in the CAPABILITY reply would matter.