On December 2, 2016 at 7:50 PM "A. Schulze" sca@andreasschulze.de wrote:
Am 02.12.2016 um 08:00 schrieb Aki Tuomi:
Workaround is to disable auth-policy component until fix is in place. This can be done by commenting out all auth_policy_* settings.
Hello,
could you be more verbose on how to verify if administrators are affected?
# doveconf -n | grep auth_policy_ | wc -l 0
but there /are/ default settings: # doveconf -d | grep auth_policy_ auth_policy_hash_mech = sha256 auth_policy_hash_nonce = auth_policy_hash_truncate = 12 auth_policy_reject_on_fail = no auth_policy_request_attributes = login=%{orig_username} pwhash=%{hashed_password} remote=%{real_rip} auth_policy_server_api_header = auth_policy_server_timeout_msecs = 2000 auth_policy_server_url =
Is such setup vulnerable?
Thanks for clarification, Andreas
Your setup is not vulnerable, the critical values are auth_policy_server_url and auth_policy_hash_nonce. Those are unset in your config.
Aki