13 Nov
2008
13 Nov
'08
3:57 p.m.
On Nov 13, 2008, at 1:03 PM, Michal Hlavinka wrote:
Hi,
we're trying to solve CVE-2008-4870 = rhbz#436287 = dovecot.conf is
world readable - possible password exposure.This problem seems to be little more complicated than we thought.
dovecot.conf can contain passphrase for ssl key, which is available
for everyone since dovecot.conf has world readable permissions.
Maybe a new separate dovecot-secret.conf? When Dovecot starts up it
first reads dovecot.conf and after that dovecot-secret.conf. deliver
wouldn't read dovecot-secret.conf at all.