How do we disable LOGIN-REFERRALS?
Network Working Group M. Gahrns Request for Comments: 2221 Microsoft Category: Standards Track October 1997
IMAP4 Login Referrals... 6. Security Considerations
The IMAP4 login referral mechanism makes use of IMAP URLs, and as such, have the same security considerations as general internet URLs [RFC-1738], and in particular IMAP URLs [IMAP-URL].
A server MUST NOT give a login referral if authentication for that user fails. This is to avoid revealing information about the user's account to an unauthorized user.
With the LOGIN-REFERRALS capability, it is potentially easier to write a rogue 'password catching' server that collects login data and then refers the client to their actual IMAP4 server. Although referrals reduce the effort to write such a server, the referral response makes detection of the intrusion easier.
From /opt/src/dovecot-2.2.19/doc/wiki/PasswordDatabase.ExtraFields.Host.txt Login referrals are an IMAP extension specified by RFC 2221 [http://www.apps.ietf.org/rfc/rfc2221.html]. They're not supported by many clients, so you probably don't want to use them normally. Right. The following clients are known to support login referrals:
- Pine
- Outlook (but not Outlook Express) We use neither. Login referrals are used only if the proxy field isn't set. We want neither LOGIN-REFERRALS nor proxy.
Dovecot's configure includes the following by default:
capability_banner="IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE" If the extension is simply hidden from the banner, an attacker could still use the extension.
If one removes the string from the banner above, one merely hides the extension name in the banner, or also disables the extension's engine?
On 12/03/2015 01:46 PM, sb wrote:
From /opt/src/dovecot-2.2.19/doc/wiki/PasswordDatabase.ExtraFields.Host.txt
Login referrals are an IMAP extension specified by RFC 2221 [http://www.apps.ietf.org/rfc/rfc2221.html]. They're not supported by many clients, so you probably don't want to use them normally. Right. The following clients are known to support login referrals:
- Pine
- Outlook (but not Outlook Express) We use neither. Login referrals are used only if the proxy field isn't set. We want neither LOGIN-REFERRALS nor proxy.
Dovecot's configure includes the following by default:
capability_banner="IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE" If the extension is simply hidden from the banner, an attacker could still use the extension.
If the connection is SSL/TLS encrypted, the attacker can't add/modify login referrals. If it's not encrypted, the attacker could just as well insert the LOGIN-REFERRALS to the CAPABILITY reply if it didn't exist there.
If one removes the string from the banner above, one merely hides the extension name in the banner, or also disables the extension's engine?
As long as Dovecot doesn't return any login-referrals (which it doesn't by default), I don't see why having LOGIN-REFERRALS in the CAPABILITY reply would matter.
On 12/3/15 1:32 PM, Timo Sirainen wrote:
As long as Dovecot doesn't return any login-referrals (which it doesn't by default), I don't see why having LOGIN-REFERRALS in the CAPABILITY reply would matter. Because a compatible client will use the capability as advertised by the server, and then fail because the server is not honouring its promise.
One can hide the capability in the banner, but also wants to disable its engine. You say that dovecot has it disabled by default, but I have no evidence of it, yet.
On 03 Dec 2015, at 15:17, sb serbr@runbox.com wrote:
On 12/3/15 1:32 PM, Timo Sirainen wrote:
As long as Dovecot doesn't return any login-referrals (which it doesn't by default), I don't see why having LOGIN-REFERRALS in the CAPABILITY reply would matter. Because a compatible client will use the capability as advertised by the server, and then fail because the server is not honouring its promise.
One can hide the capability in the banner, but also wants to disable its engine. You say that dovecot has it disabled by default, but I have no evidence of it, yet.
I think you need to read how LOGIN-REFERRALs actually work. There is no code that can be disabled on Dovecot side.
On 12/3/15 2:49 PM, Timo Sirainen wrote:
There is no code that can be disabled on Dovecot side. I think you need to read how LOGIN-REFERRALs actually work.
This is an excerpt from the RFC:
A home server referral may be returned in response to an AUTHENTICATE or LOGIN command, or it may appear in the connection startup banner. If a server returns a home server referral in a tagged NO response, that server does not contain any mailboxes that are accessible to the user. If a server returns a home server referral in a tagged OK response, it indicates that the user's personal mailboxes are elsewhere, but the server contains public mailboxes which are readable by the user. After receiving a home server referral, the client can not make any assumptions as to whether this was a permanent or temporary move of the user. The client and the server exchange relevant messages. If dovecot cannot disable the relevant code then either dovecot does not implement the RFC or it does it so well that it cannot be disabled without rewriting dovecot's code. In either case, we want to disable LOGIN-REFERRAL, and have evidence that it has been disabled. Removing the keyword from the banner is not sufficient, and the documentation PasswordDatabase.ExtraFields.Host.txt is far from useful.
On 03 Dec 2015, at 17:20, sb serbr@runbox.com wrote:
On 12/3/15 2:49 PM, Timo Sirainen wrote:
There is no code that can be disabled on Dovecot side. I think you need to read how LOGIN-REFERRALs actually work.
This is an excerpt from the RFC:
A home server referral may be returned in response to an AUTHENTICATE or LOGIN command, or it may appear in the connection startup banner. If a server returns a home server referral in a tagged NO response, that server does not contain any mailboxes that are accessible to the user. If a server returns a home server referral in a tagged OK response, it indicates that the user's personal mailboxes are elsewhere, but the server contains public mailboxes which are readable by the user. After receiving a home server referral, the client can not make any assumptions as to whether this was a permanent or temporary move of the user. The client and the server exchange relevant messages.
Client doesn't send anything to Dovecot regarding the use of LOGIN-REFERRALS. It simply does a regular authentication and if Dovecot is configured to send a login-referral then Dovecot responds so to the LOGIN or AUTHENTICATE command. The client can't request a referral in any way.
If dovecot cannot disable the relevant code then either dovecot does not implement the RFC or it does it so well that it cannot be disabled without rewriting dovecot's code. In either case, we want to disable LOGIN-REFERRAL, and have evidence that it has been disabled. Removing the keyword from the banner is not sufficient, and the documentation PasswordDatabase.ExtraFields.Host.txt is far from useful.
Dovecot never sends a login referral unless you have explicitly configured passdb to send it. There are no commands, requests or anything related to LOGIN-REFERRALS that can be sent by IMAP client to Dovecot. If you haven't configured a passdb to return a host field, there is zero code that can ever be executed that is in any way related to LOGIN-REFERRALS.
Please amend the first paragraphs of PasswordDatabase.ExtraFields.Host.txt as follows.
---cut here--- Login referrals are a server-side IMAP4 extension specified by RFC 2221. Their purpose is to redirect clients to an different IMAP4 server in case of hardware failures or organizational changes. No client action is needed to invoke the LOGIN-REFERRALS capability: the redirection is triggered by the server and occurs transparently.
A security consideration is in order. As also stated by RFC 2221, a man in the middle attack may use a rogue 'password catching' server to collect login data and redirect your clients to their own rogue IMAP4 server. Login referrals are not supported by many clients, so you probably don't want to use them anyway.
Dovecot does not use login referrals by default.
[It would be useful at this point if you could add one sentence explaining the purpose of the LOGIN-REFERRALS in the default capabilities banner.]
If you need them, please follow the instructions below. ---cut here---
Thank you.
participants (2)
-
sb
-
Timo Sirainen