[Dovecot] Solving CVE-2008-4870

Timo Sirainen tss at iki.fi
Thu Nov 13 15:57:39 EET 2008

On Nov 13, 2008, at 1:03 PM, Michal Hlavinka wrote:

> Hi,
> we're trying to solve CVE-2008-4870 = rhbz#436287 = dovecot.conf is  
> world readable - possible password exposure.
> This problem seems to be little more complicated than we thought.
> dovecot.conf can contain passphrase for ssl key, which is available  
> for everyone since dovecot.conf has world readable permissions.

Maybe a new separate dovecot-secret.conf? When Dovecot starts up it  
first reads dovecot.conf and after that dovecot-secret.conf. deliver  
wouldn't read dovecot-secret.conf at all.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20081113/8c309dae/attachment-0001.bin 

More information about the dovecot mailing list