How do we disable LOGIN-REFERRALS? (part 2)

sb serbr at runbox.com
Thu Dec 3 11:46:44 UTC 2015


>From /opt/src/dovecot-2.2.19/doc/wiki/PasswordDatabase.ExtraFields.Host.txt
> Login referrals are an IMAP extension specified by RFC 2221
> [http://www.apps.ietf.org/rfc/rfc2221.html]. They're not supported by many
> clients, so you probably don't want to use them normally.
Right.
> The following clients are known to support login referrals:
>
>  * Pine
>  * Outlook (but not Outlook Express)
We use neither.
> Login referrals are used only if the proxy field isn't set.
We want neither LOGIN-REFERRALS nor proxy.

Dovecot's configure includes the following by default:
> capability_banner="IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID 
> ENABLE IDLE"
If the extension is simply hidden from the banner, an attacker could 
still use the extension.

If one removes the string from the banner above, one merely hides the 
extension name
in the banner, or also disables the extension's engine?




More information about the dovecot mailing list