Global create ACL allows out of boundaries mailbox
13 Jul
2017
13 Jul
'17
10:18 a.m.
Hello Dovecot Team,
During my tests I setup a global ACL allowing mailbox create for all authenticated users. Then, I made a mistake in Thunderbird, tried to create a mailbox directly on the "/shared/" special folder.
Dovecot created a folder in the global root path of our mail store. Since I use maildir:/var/vmail/%d/%n/mail as mail_location, it created the mailbox in /var/vmail (where my domains are).
It was just a test and I can imagine allowing create permission to all users whatever the path is not a good idea nor a common use case but still, it's probably worth reporting.
Keep up the good work Cheers
Loïc Gomez
2719
Age (days ago)
2719
Last active (days ago)
0 comments
1 participants
participants (1)
-
Loïc Gomez